When starting with -server (or -daemon) and no rpcpassword option is set, the following text is printed to the console:

Error: To use the "-server" option, you must set a rpcpassword in the configuration file:
/home/user/.bitcoin/bitcoin.conf
It is recommended you use the following random password:
rpcuser=bitcoinrpc
rpcpassword=98FUPXSEJAc796o4c2kX8p8r1tsoNiWiiWFDBei83F8i
(you do not need to remember this password)
The username and password MUST NOT be the same.

This is good. However the same text including the password is also printed to debug.log. That is a security risk as it is typically not expected that debug logs contain sensitive information. It would not be difficult to find bitcoin nodes which are exposing an RPC interface on the same IP address, despite warnings against this, and social engineer access to the debug.log and compromise the node.