Michael: in my opinion, you've just made your device *less* secure by assigning a password to user (which was previously password-less and impossible to log in to). You've now created a second account on the device that could be exploited, doubling your exposure.

Adding a password for user is *NOT* the first thing anyone should do, but it is the worst thing anyone can do.

If you're using PuTTY, follow these instructions which allow you to login (ssh) as "user" without compromising your device by adding a password.