Be careful with what resources are accessed through an SSH session. While the initial client-server connection is encrypted, if the user accesses an insecure external resource via the server, that connection will not be encrypted (Barrett & Silverman, 2001).
It is smarter to use public key encryption instead of passwords for authentication. Passwords are more easily broken, guessed, or stolen, and only require an attacker possess a simple password to gain access to an account. Public key encryption requires both a passphrase and the private key of the client, so unless an attacker has both, gaining access is much more difficult (Gosling, 1998).