Yes, it's risky to accept password auth if someone sharing the box with you has a poor password. They could do things like:
. Install a spam or brute force password bot, which could get the machine kicked off its internet connection (in addition to whatever havoc it causes first)
. DoS the server by filling up the disk or using too much RAM (are quotas enforced?)
. Exploit a local vuln to get root, if such exists on that box. (Is the kernel promptly patched and the box rebooted?)
. Explore other users' directories (are permissions locked down correctly across users?)
. Install a spam or brute force password bot, which could get the machine kicked off its internet connection (in addition to whatever havoc it causes first)
. DoS the server by filling up the disk or using too much RAM (are quotas enforced?)
. Exploit a local vuln to get root, if such exists on that box. (Is the kernel promptly patched and the box rebooted?)
. Explore other users' directories (are permissions locked down correctly across users?)
…and more thrilling possibilities!
Embrace key auth. Future you will thank you.