In general we find 4-5 keys every couple of months and about 50% of the time they have no encryption key on them. This means that if the key had been found by a third party, they could use them without any problems in getting access to any server the public key has been placed in an .ssh/authorized_keys file. And while I have not tested the passwords on the encrypted id_rsa keys, I have tested some private created ones and found that the brute forcing is a lot faster than what is possible against the sha512crypt() used to encrypt Fedora passwords.
With this in mind, it is always important to make sure your SSH private keys remain
- on hardware that you control and not uploaded to services in the cloud.
- password encrypted with a password at least 10 characters in length and not easily guessable. [Using passwords like "fedoraproject", "password", "sshpassword", or the favourite "123456" are not hard to find or guess by an attacker]
[smooge@seiji-wlan ~]$ for ((i=0; i<10; i++)); do /usr/bin/pwqgen random=65; done
bias Blaze Crook Primal Shore
Borrow tilt Macro Beef leo
Growth Reside Dolly prompt openly
Crawl sigh Boyish thrill lake
Past Urgent Carbon Orient Wrap
root Arm Book Candy iowa
chalk Plasma Champ Active motion
Pause border Retina Mrs storm
fault Mouth Xerox inward snatch
advert apex Mature Akin play
Chose the line you like the best.