While "steem surfing" (Ok, I just coined this term on my own for lack of an official terminology), I managed to encounter some sites where they redirect and require you to sign-in via SteemConnect before proceeding.
For those who don't know, "SteemConnect is the ideal solution for making it easy and safe for users to sign in to 3rd party Steem applications and for developers to build and scale these applications." (Source: https://busy.org/@steemitblog/steemconnect-2-0-easy-fast-efficient-access-to-the-steem-blockchain). This indeed sounds like a great platform. Instead of having to share your Steemit keys with all sorts of different third party apps, SteemConnect acts as a common, familiar and comfortable middleman that handles all your authentication needs with these apps.
There is only one hurdle for me -- SteemConnect will sometimes ask for your active or owner key, or even your master password.
This instantly blares a warning signal in my mind : "Can we trust SteemConnect with our keys and passwords?" I'm sure some of us have also noticed the warning from the Steemit site whenever we check our wallets:
So can we really trust SteemConnect with our keys and passwords?
In summarizing my research, I was able to gather the following three points, which I believe others with the same concerns would appreciate:
SteemConnect is actually an official partnership between Steemit Inc and the Busy team. We do trust our keys and password with Steemit, so to have the official backing and collaboration of the Steemit team themselves with the original developers of SteemConnect is certainly a confidence booster. Check out the post here: https://busy.org/@steemitblog/steemconnect-2-0-easy-fast-efficient-access-to-the-steem-blockchain
The article goes on to say that "SteemConnect is a community project. That’s why it’s open source under MIT license, for anyone to use (and contribute to) as they see fit!" This is another plus point for me. No hidden codes, the entire code is available for everyone to use, study and contribute to.
And finally, I managed to also get a clarification from @Fabien, one of the founders of @Busy.org. Here is his clear and concise reply: "With SteemConnect2 you need to grant
permission to post on your behalf, so the app busy can post for you. This operation require at least your active key when you authorize the app then you can login with you memo key or posting key. You can revoke
The active key is only used to make the operation in your browser then discarded, nothing stay or goes to the server."
After internalizing all my research, I'm quite reassured. I hope this also adds valuable inputs to those who are worried about this particular concern.
As always, let me know your thoughts and feedback on this matter. Have a great week ahead!