Yes, that's true.
The most important thing of all is that you never use your master password to sign in anywhere.
Always use your posting key (most secure) or active key.
In case you have your account compromised you can use your master password to reset the other keys (posting key/active key).
thanks @exyle! I just wanted to test a new app called "What-App Q&A" that is supposed to be built on top of the Steem Blockchain. However, when I try to log in with Steemconnect I see it asks at least for the active key, which makes me wonder whether that is secure.