A severe limitation of Nostr is that you have to use your private key to login to questionable third party apps which may or may not steal it. If it's compromised there is no way to change it or prevent unauthorized access.
Discussion
Its less to do with a limitation of nostr and more to do with the 3rd party app devs taking shortcuts.
If they really cared an dummy easy way to things would be to
1. Have a nostr handle for their service.
2. Use visits 3rd party site and the sites gives them a randomly generated code to post to the nostr handle in 1.
3. Authenticate the use.
Use a browser extension like Alby on chromium-based browsers and Nostore on safari.
Private key stays on you local machine and the extension handles signing for you.
We’re still early. I completely expect sites to stop asking for or accepting private keys in the medium term. Tooling just isn’t quite there yet for all platforms.
Who made Nostore?
#[4]
Here's the GH repo too: https://github.com/ursuscamp/nostore