A very short one. Reasonable 10+ character passwords should remain out of reach for years.

Also, AFAIK there doesn't currently exist any very effective GPU cracking software for SSH passphrases.

I went to lookup the algorithm GPG uses to encrypt private keys, to help answer the original question, but couldn't seem to find that information anywhere. Do you know what it is?

According to a quick stack exchange search, OpenSSL uses 3DES for encryption of private keys.

You're already given your own concrete time estimate - 'hours' - how did you work that out?

An old article I read about password cracking using EC2 while back... let me look it up.