App passwords are 16 characters long and only contain lowercase letters, so from a security perspective they are rather weak (according to my password manager).
But I guess a hacker, trying to guess passwords, would get blocked after a while, because he/she had too many failed login attempts. If that’s the case then the whole system is secure again. Is that the case with Runbox? 
If you are concerned about security, here are some tips:
Use a strong password (letters, numbers and special characters).
Change your password regularly (e.g. every 2-3 months).
Set up two-factor authentication on your Runbox account (this will make it harder for hackers to access your account).
Hello. There is an argument against changing passwords regularly. Some research has shown that people change them for variations of the same thing or for weaker passwords they can remember in the short term. A strong password you can keep for a much longer period is better for a lot of people.
We have some advice on passwords and account security here: Username and Password Security | Runbox Help
While I’m thankful for any replies they don’t seem to answer my question–because Runbox app passwords are 16 character passwords that are provided by the system, I can’t change them (unless I’m doing something wrong). And I tested these provided passwords with my password managed (KeePassXC) and this program said they are rather weak passwords.
And I agree with Dave that it’s not a good idea to change passwords regularly. A UK government agency states the following:
Regular password changing harms rather than improves security.
@Peter Sorry for not answering your original question. We are looking at increasing the strength of app passwords, but we also have to make sure they aren’t too long people won’t use them. Some people don’t copy and paste them and just need to be able to read and type them in.
Yes, failed logins do get blocked after too many tries.