Just after setup of raspberry pi, there is an opportunity to connect via ssh to newly created machine just typing:

ssh pi@raspberrypi.local

And the default password is :

raspberry

After the basic configuration a lot of amateur users leave everything as is when it start workings as planned, usually leaving the default security settings.

So it's still possible to join to this raspberry as root and access all the data available on it and the network. And if somebody unwanted joins your wifi and founds out free server with your data just because default password was not changed.

Even the pios itself says

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

So change of a password should be the first thing you do after first connecting to pi via ssh.

So create new user:

sudo adduser user_name

Add him to the sudo group:

sudo adduser user_name sudo

Now you can reconnect to shh as user_name or just su to the new user. I prefer the 1st option to ensure the new user works.

Under a new user time to block user pi.

sudo passwd --lock pi

On a client machine (your computer not the PI)

Create a RSA key pair if you don`t have one:

ssh-keygen

And create backup of them, they are located in ~/.ssh.

Now it's time to associate your key with newly created user on raspberry.

ssh-copy-id user-name@raspberrypi.local

After successful passwordless login, it's time to disable login by password at all.

Edit the ssh service config

sudo nano /etc/ssh/sshd_config

Change the line:

#PasswordAuthentication yes

to

PasswordAuthentication no

Now restart the sshd service:

 sudo systemctl restart ssh.service

Thats It!