how would a 12-digit password be a safe guard in this situation?

So guys, I messed up with the configs in a computer and let the SSH server open to the wild with ROOT login enabled. I’m trying to assess the potential damages, which I may never know for sure.

Regrets apart, this mistake lasted for over a year until I verified several SSH authentication attempts in secure.log (botnets and/or skiddies) with random users, but some tried with root. The secure.log shows that all root connection attempts failed and no break-in evidence, but I may not rely on those logs anymore.

My hopes resort in the fact that I changed the default SSH port (not really a security measure) plus a 12-digit password (capital and noncapital letters plus symbols, so 72^12 possibilities), however I don’t know if a 12-digit password is really worth a security matter these days. Even considering a swarm of botnets (between 300k to 6M), it would take years to break the password, but DoS and DDoS are other possibilities and I wanna try to reach some peace of mind.

Unfortunately, I had to format and re-install Linux in this computer given ongoing needs, but I’ve kept /var/log/ files in case of an investigation. The network admin (the computer wasn’t at my home) didn’t notice any suspicious activity, then I came up with a few possibilities after some research:

  1. OK scenario: password was worth its length and hold any intruder.

Possible solution: harden security and (even) keep the OS.

Comment: the intruder may have cleared the logs to trick me, so better to be sure and format anyway.

  1. Bad, but manageable scenario: someone managed to connect and setup a botnet/spammer/bitcoin miner.

Possible solution: format computer and harden security.

Comment: no suspicious network activity had been noticed and I’d have noticed some CPU stress and/or other symptoms, but none seen. However, I used only SSH terminal with no graphic interface (tty) in this computer, so symptoms would be possibly less evident (?).

  1. Really a bad scenario: intruder accessed my computer and stole my data.

Possible solution: format computer and harden security.

Comment: OK I’d need to live with that, but the hardware would be reusable.

  1. Worst-case scenario: intruder break-in plus a rootkit/keylogger/sniffer/worm.

Possible solution: format computer and harden security, unless a more serious intervention had been done, like BIOS or HDD/SSD firmware virus/rootkit.

Comment: I believe a hardware-level threat means game over for MB and SSD/HDD.

In summary: (1) would be fine; (2) seems very unlikely, since no alarms were triggered, (3) is bad, but hardware still OK, and (4) is the worst scenario. I believe a compromised root password is way worse than getting a rootkit from some suspicious downloaded app (just guessing), especially if it is nested into the hardware.

Therefore, scenario (4) worries me and I presume I don’t have any means to find out if my computer had an intervention at hardware level. Per my research, BIOS and SSD/HDD firmware hacks are possible and usually meant for high-level targets (not my case), but rare for ordinary users and very hardware-dependent (I found lots of debate on internet).

Any thought/ideas/suggestions in ways I could verify my hardware are appreciated.