On top of jareon's answer, you could also go to Clients > {your-client}. On Authentication flow you should disable the Direct access grants. This will disable the password grant type which should not be used and will be removed on OAuth 2.1 specification.