TP-Link routers have been shipping routers that have password-protected access enabled by default. The default password on some of the devices is the devices’ MAC address, which is a unique identifier associated only with that device. An attacker could deduce the device’s password in seconds using a packet-capture tool such as Wireshark. If router manufacturers can’t get it right either, that bodes poorly for many of the millions of Internet of Things devices now being shipped (see The Internet of Dangerous Toys?).”]
Source: https://www.cuinfosecurity.com/blogs/tp-link-routers-fail-sniff-test-p-2044