Heater wrote:when I put a Pi on the net soon enough I see login attempts for user "pi" showing up in the logs.
That is why I suggested discussing security of MQTT from the beginning. Setting up a Pi to turn on and off light bulbs is less fun if the entire Pi is subsequently controlled by an unauthorized third party.
At one point in history many Unix computers ran a network service called finger that would publicly report the usernames of everyone currently logged in. Knowing the username is already half the work when using trial-and-error methods to access a computer. Therefore, as a security measure, most systems no longer run the finger service. Similarly, most systems don't allow root to log in remotely.
All releases of Raspbian have a user named pi. Changing the password is good. Since the username is well known, it is still dangerous to allow the pi user to log in remotely.
Changing the name of the pi user is difficult, because it is hard coded into start-up scripts and configuration tools. Instead of an installation program that guides users through the process of creating a new user, setting passwords and otherwise configuring the system, the last update to Raspbian added a splash screen and more colorful icons.