I concur with "allend" on
all points.
Categorically speaking, always use certificates – with or without a passphrase – and do not permit "root" login.
Furthermore, strictly limit the number of users who are capable of escalating to "root." (That is to say, "members of the
wheel group.") This is the
"principle of least privilege." Minimize the number of users who are
capable of walking into a telephone booth and flying out wearing ugly blue tights ...
This maxim applies equally to Linux, MacOS, Windows, or any and every other operating system. Take full advantage of the system's ability to say
"No." "Unless you must be an administrator, you aren't one."
And, never use user-names like "admin." Who's the one-and-only super-user on the machine? Why, "suzy-q" of course ... but you'd never guess that.