When a private is "protected by a password", it merely means that the key bytes, as stored somewhere, are encrypted with a password-derived symmetric key. A private key is readily encodable as a sequence of bytes, and can be copied, encrypted and decrypted just like any file. The important point here is that the password is all about storage: when the private key is to be used (e.g. to sign something), then it is first decrypted in the RAM of some computer, which then proceeds to use the non-encrypted private key. Correspondingly, there is nothing special in a RSA key pair which would make it suitable or unsuitable for password protection. Password protection is really an orthogonal issue.
Of course, if a private key has ever been stored on some physical medium (say, a hard disk) without any extra protection, then it may have left exploitable traces there. Details depend a lot on what system is actually used for private key storage. For instance, Windows systems use DPAPI for storing user's private keys, and DPAPI makes some extra efforts at not letting stored keys leak (whether these efforts are successful remains to be proven).
pkcs8 -topk8 [-v2 $cipher]
and in 1.1.0+ add-niter $n
with the highest count you can afford (the default, and before 1.1.0 the only value, is 2048). – dave_thompson_085 Feb 12 '19 at 02:28openssl pkcs8 -topk8
command in modern versions of openssl can do scrypt or bcrypt with some large number of iterations. Even in older versions, it can do pbkdf2 with 2048 iterations. Depending on your openssl version, you may be stuck with Triple-DES as the cipher. – Brian Minton May 17 '19 at 03:30