There is a misconception in this community, that using your private posting key to login into outside services is safe.
That is not true, here is why:
While a bad actor having your private posting key can not take your money, they could exploit and eventually damage your account in a lot of other ways.
In Steem you "Mine" (as in proof of work(+brain?)) with you private posting key.
The cumulative reward for that act is 7% of steem's yearly inflation.
Meaning, if one want piece of that pie, they need to pool some SP, then use the private posting keys that control it to do their deeds.
And what better way of doing that, than starting a service that collects private posting keys, for whatever reason.
There already are upvote botnets that are making their money that way.
Some of them are legitimate services (I use the @shadowbot voting pool),
but can you trust anyone with the power to do right by you, now or in the future ?
Can you trust them to be secure enough to not get hacked and leak your keys ?
Leasing SP costs money. There are services that enable you to lease your SP, or get some and power up your votes (https://steemit.com/@minnowbooster)
From here, it gets darker...
You could bring one's reputation to the ground with enough SP backed downvotes.
You could hide posts on steemit.com
That is abuse. And abuse brings the @steemcleaners,
and your account provider (Steemit Inc).
You don't want to be in a situation where these guys show up.
That means you've became a victim of abuse,
or your account is wrecking havoc on the blockchain.
With you private posting key, one could edit all posts and comments, deface your profile or worse - change all the links to a phishing sites or ones with a drive-by exploits on them.
Afterwards all bets are off and some people will get burned.
And that's why, if you are a developer of a new or existing service around steem, don't ask for private posting keys if you don't really need them.
P.S. I know some people will point out that most of the services keeping the keys inside the browser.
How sure are you ?
Especially when you get the latest version every time you go to the service's URL.
When was the last time you did inspect the code, as it was running in your browser ?
Was it minified ?
The things one could do after collecting the keys, they can do by simple code injection...