You would need a trusted key holder or a nsec derivative from the combination of username and password (bad ideia that changes nothing). A signer fix this.

No. It would just be a calculation of an nsec out of login data. The login data would never be stored anyway, they would just be SHA256-hashed, and that hash would be the private key. This is just a thought about making a Nostr client "normie" friendly.