If an attacker knows your in-game username is "Admin," they can simply type "Admin" into their cracked launcher, log into your server, and instantly gain full operator (OP) permissions. They do not need your password because the server is not checking with Microsoft.
servers (non-premium) typically requires a few specific configuration steps, as most "always-on" free hosts still require you to manually toggle the "online-mode" setting.
Uses a renewal system. You must click a button on their Discord or dashboard every few days to keep the server from sleeping.