Hi Koen,
I'm not sure disabling GET would be an ideal approach.
GET is a big part of REST, if the user is using the HTTP Verb to indicate the action they want to do.
Plus it's possible to use GET with an authorization header, or with a cookie, both of which would be very much ok - and in some cases probably required.
So sure, it would be nice to detect, and prevent the login and password being part of the URL, but there's no easy way I can think of offhand to do that, and still keep the general "correctness" of the API - especially as you are making a REST API.
Cheers
Bruce