They certainly have the ability. It’s in Settings, and is kept in Duplicati-server.sqlite configuration database.
Then you’ve probably seen this screen on first use of the UI, which is a typical place to set up passwords:
If you let some users set up their own backup config, they might have chosen Yes and set up a password.
If you have to clear a password, that’s possible, but it would be good to check with the affected users first.
They can remove their password more easily than they added it. If they didn’t add it, that’s a different story.
Is this a duplicati.com install? Some third parties add passwords, but I don’t know why it’d be inconsistent.