I had / have read that scanning the QR code for the PRIVATE key is not good. Not secure.
Whoever told you that is wrong.
But we pressed on, he scanned it, (Same Mycelium wallet app that I use) and then the PW worked and he said the balance was there and correct (good)....but that the only option he had available was "send." I'm assuming this is correct.
That's correct. Mycelium works by accounts. Each account is 1 or more private keys. When you import an address, it goes to a new account with only that private key. There is no receive option because a new private key for an address cannot be generated for that account.
So I asked him to ahead and close that portion of the wallet and go back to "Accounts"......I forgot to tell you this but BEFORE we did this, I asked him to tell me how many private keys he had. He said "2." I assume 1 is his private key, and the other is mine....
?....cause there's only been 1 transaction from me to him. 2 keys makes sense. But am I right?
No. Paper wallets only have 1 private key. That is for one account. The other account would only be there if you created it, which, IIRC, Mycelium has you do on the first run of the app. It is not possible to get a private key from a transaction.
So then he looks at the "accounts" and I ask him how many keys he has now. I was expecting him to say "3" because in my mind, he had just imported and processed the private key from the paper wallet. Well this made me panic a little bit (not much) but it prompted me to sign up here and ask these questions.
Accounts and keys are two entirely different things.
How many accounts did he have? Still 2? If so, that is supposed to happen.
DID WE IN FACT COMPROMISE his private key? If so, he obviously needs to move that money to a new wallet ASAP.
Probably not. However, a paper wallet is supposed to be a one use thing, so he should move the Bitcoin out anyways onto another address on the phone.
I understand the private key is the key to the kingdom. If you don't have it....you're out of luck. Forever. I also understand that the public key is just that. Public. Your piggy bank. I've read I can put that out anywhere on earth, some places even encourage it....but THERE TOO is another confusing issue for me. Everywhere you look you see "never use the same address twice. Send or receive." ------ Well, which is it?
All of the above. The Bitcoin address is derived from the public key, the address can and should be given out. The public key will be given out once the address is spent from. The idea of not reusing addresses is to both protect your privacy and for some extra security. Regarding privacy, reusing addresses means that anyone who sends money to you can see how much money you currently have. That is not exactly a good thing. Regarding security, if ECDSA is broken such that the private key could be derived from the public key, then reusing addresses means that the Bitcoin associated with your reused addresses are at risk. This is because the public key is exposed when you spend. Addresses are actually hashes of the public key, so you can receive to it and the Bitcoin will still be safe should ECDSA be broken. By not reusing addresses, by the time the public key is revealed, the Bitcoin is already gone and it is pointless for an attacker to try to get the private key because that address is empty.
And for the life of me, I cannot understand why private keys would be stored on the SAME digital device that also can produce send and receive addresses.
First of all, there is no such thing as a send or receive address. They are all the same, just Bitcoin addresses. And technically, addresses don't actually exist and are just abstractions for humans.
An address is derived from a public key, which is derived from the private key. Thus private keys and addresses are inherently linked and are stored and produced on the same device. There is no security risk, and if your private key is compromised, the address can be easily derived (but that isn't even necessary for spending anyways).