I have my Raspberry Pi running, and have Visual Studio able to edit the hass.io files (via Samba share), and I set a static IP address using the USB method.
What I am interested in learning is what password systems are needed or recommended. At this point I will not be accessing my system from outside my network.
There is a log-in password (required when first setting up the Pi; editable in HASS UI).
Are there any good articles on security, with definitions of what an API password is and where it fits in with the log-in password, etc.? I found a few but they show configuration.yaml files that include content that mine does not have - in fact mine is mostly empty (maybe due to just starting?)
Did you read the section about the legacy API password?
it says that the API password will be deprecated soon so you should use one of the other auth methods unless you absolutely have to use the legacy API password for an integration that isn’t set up to use the new methods. Because you are a new user I seriously doubt you fall into this category.
so all that said the username/password you set on the initial login screen is your admin/owner password. you don’t need to set any others if you are the only user or just want everyone who accesses ha to use the same login. or if not then you can create additional users with their own password.
for the best security you can either use a vpn or equivalent or sign up for the ha cloud service if you ever want to access your instance from outside your local network.