Comment by cookiengineer

Maybe you wanna check your systemd log once in a while. It begs to differ.

If ssh password out would be no problem, then why are so many APTs "wasting" their botnets with credentials stuffing?

Your assumption is wrong, and policies for key based auth eliminate the problem quite easily. Versus on the other hand: are you checking every colleague's password for length, charset, etc? All the time? On every server?

Probably not.