[Maxious]

Raspbian did originally come with SSH enabled by default but the default credentials pi/raspberry made it trivial for misuse: https://www.zdnet.com/article/linux-malware-enslaves-raspber...

[runamok]

Exactly. You can't have it both ways: make it easy to remember the user/pass and also make it easy to login remotely.

[4d617832]

Probably the right decision then. As I don't put them on public networks and delete the pi user this is of little concern to me, but given the target group, it is a simple safety measure.

[proverbialbunny]

I think there is a better solution: On a new install on first login, over ssh or on the gui, a user/password must be created.

This way the initial login only works once. Both gui user/pass and ssh user/pass are tied by default.

[foxrider]

This is how it works in ARMbian. It forces a password change on first login. It can be annoying if you intend on deleting the alarm user right after that, but I can easily see why. "Default" passwords are always suboptimal.