The implementation of the private-key-based system seems flawed. Like, accidentally share your secret key, and your entire profile is doomed. I don't understand why there's no password protection for the private key unlike with PGP keys, for example.