HostStack KVM VPS plans expect SSH administration — swap passwords for SSH keys where possible and disable password auth once keys proven.
First login checklist: update packages deliberately (know rollback paths), configure firewall defaults tighter than “allow world”, and create sudo-capable deploy users separate from root.
If credentials leak, revoke keys immediately — VPS compromises escalate faster than shared hosting incidents.