not every tp-link model (or revision, or locale, or firmware version) that shares a web interface with the c7 requires you to manually set a password. even if that were the case, there are bound to be users who aren't security savvy and chose a very weak password (e.g. "password", "admin").

many tp-link routers also have configurable vpn servers built in, which can open up the whole network to malicious actors.