Private keys without a passphrase are probably even riskier than passwords
Private keys with a passphrase had better have a hard passphrase or they'll just be bruteforced offline