Also, don't use SSH passwords. Authenticate only with SSH keys.
An SSH private key is almost impossible to brute force, compared to passwords. (unless your SSH key generator has been patched by a clueless Debian maintainer)
Funny tidbit. I spun up a DO box (luckily it wasn't too important) to do some tasks on.
I set the root password (over ssh) to something random but only 8 characters. I meant to change it to use only keys, of course, but the machine was compromised in under an hour!
Better yet: it's a workstation. There's a pretty solid chance you don't actually need sshd to be even running.
(Granted, this guide specifies that it's meant for sysadmins managing groups of workstations, in which case SSH access might be necessary for remote administration, but for most users, SSHing into a workstation is unnecessary.)
An SSH private key is almost impossible to brute force, compared to passwords. (unless your SSH key generator has been patched by a clueless Debian maintainer)