Thanks for beating me to it! I think the preferred best practice is to use an extension, which has its own risks as well arguably, but the risk is low/minimal using an nsec to login in my opinion, but it is good practice to minimize any nsec exposure for maximum privacy practices.