As an author of one Lemmy front-end, I can confirm that you are potentially sharing your username and password. Unfortunately, there is no way for Lemmy front-end developers to, say, open a web socket to Lemmy instance and have you login through a web browser (which would be much prefered from security standpoint, but it is what it is).

Furthermore, from what I see, many of such instances store your password, instead of just the Bearer token. Unfortunately, from what I get, there is also no way of invalidating the Bearer tokens right now, so in the event of it getting stolen - you’re f***ed.

Now, couple of tips:

• USE 2FA AUTHENTICATION. In the event of malicious app actually stealing your credentials, you are at least a little bit more protected by this layer.
• Use password manager - do not use your banking password, please.
• Only use trusted front-ends, and in the even oft on an app, only download versions from official sources maintained by the app author.
• Make sure the instance you’re registered at has a valid HTTPS certificate.