It turns out the must have password was a setting on my server.
Account password is not the same as key passphrase.
As for the encryption thats said in the private key itself.
I'm not here to explain you how
public key authentication works, but only shortly:
The ppk file consists of two parts, public key file and private key file. Public key is stored unencrypted, whether you use passphrase or not. Private key is encrypted only if you use passphrase. When authenticating, only the public key is sent via internet. Being PUBLIC, it does not matter if ANYONE gets an access to it.
If you do not believe, well that's your problem.
But you can try simple test. Make new encrypted key, that you do not tell the server about. Try to authenticate using it. You will get message "server refused our key", without ever being asked for passphrase... How this is possible? Because what I wrote above is true. WinSCP can read the public part of the key, which is used for the authentication, without passphrase, even though the key is encrypted. Because the public part is not! And the server can verify your public key, even before WinSCP tries to decode the private part (for what it would need passphrase if the key is encrypted). So it does not even know, if you have the private key encrypted. It can hardly require the key to be encrypted, if it cannot tell whether it is.