Hello. I have a question about recovery keys.
In Cryptomator, a recovery key is automatically generated when you create a vault, and it can be used to change your password.
This recovery key consists of simple words and is weaker than a random password of the same length. It seems that no matter how strong you make your password, the security of the vault cannot exceed the strength of the recovery key.
Is this concern unfounded?
Thank you for reading.
Welcome to the Cryptomator Community 
you mix two concepts:
The password is combined with data in vault.cryptomator to compute the masterkey. It is the easy-to-use, everyday access tool to your vault.
The recovery key is the vault masterkey, just in a different form. It never changes. It is designed for emergency cases, to make data accessible again.
The recovery key should be considered as top confidential and only be stored at a secure place.
And yes, simply spoken, a password longer/stronger than the masterkey does not make sense because then it is easier to guess the masterkey/recovery key. But the masterkey consists of 43 words, selected from a pool of 4096 words. In the worst case an attacker has to try out 4096^43 combinations (a number with 155 zeroes).
The recovery key was indeed strong enough.
Thank you for the guidance.