Password fields cannot be fetched, you will need to select a different field type or customize the controller and write your own sanitization function.
As you can see here: https://strapi.io/documentation/developer-docs/latest/concepts/controllers.html#find
We are using
const { sanitizeEntity } = require('strapi-utils');
And the code for that function is here: strapi/sanitize-entity.js at master · strapi/strapi · GitHub
Specifically we are stripping any password fields out: