Jeremy Davis's picture

But both the core devs have extensive experience in IT security (both having worked with military IT) and as such I am inclined to accept their perspective on this.

As you have probably noticed keypairs are an option from the Hub (which will set a random root password). I don't know enough about AWS to comment on your opinon re security groups so can't say much there.

Whilst having non-default usernames (and disabling root) makes it marginally more difficult (ie means that your site is not one of the 'low hanging fruit') but if someone is seriously trying to hack your site a non-default username alone is not going to make a lot of difference. I think that security by obscurity is not much security at all. If you have a good password (a complex randomly generated one as you suggest is optimal) then that is real security. Security by obscurity just promotes a false sense of security IMO.

My 2c anyway...

But the beauty of TKL is that it's open source so users such as yourself can relatively easily set it up how you want.