In general from our Knowledgebase:
"BoxCryptor uses two keys for file encryption: a master key which is derived from a user supplied password and a volume key. All files are encrypted with a volume key which is generated when a new encrypted directory is created. The volume key is stored encrypted by the master key in a configuration file (.encfs6.xml) at the top level of the source directory. When BoxCryptor mounts an encrypted directory you have to enter the password. The password is used to derive the master key and the master key is used to decrypt the volume key which is then used for file encryption."
Concerning your questions:
"Somehow" means your files are encrypted by the volume key which is stored encrypted (with the AES-256 algorithm) in the .encfs6.xml file. To decrypt the volume key you have to enter your password which is then used to derive the master key which decrypts the volume key. To derive the master key BoxCryptor uses the PBKDF2 function: http://en.wikipedia.org/wiki/PBKDF2.
So you are right that the password is the weakest part in the security chain. But for the password the user is self-responsible and it is highly recommended to use a long password with numbers, big and small letters and special characters. This will highly increase the effort to run a brute-force attack:
As mentioned above a brute force attack on your password is (theoretical) possible but practically not relevant if you use a secure password. The encrypted volume key is stored together with the encrypted files, because you need both on each device in order to decrypt a file. So the key and the files have to be transferred to your other devices (mobile devices, laptop etc.) which are connected to the cloud where your encrypted files are stored. If you use a secure password the security level is definitely high enough to be safe.
Nevertheless, if you don't feel comfortable with this solution, it is possible to separate the .encfs6.xml file from the encrypted files using the /config command line option. But if you use this method you have to transfer the .encfs6.xml file to your other devices by yourself and the Android and iOS versions of BoxCryptor are no longer compatible with this setup.
I hope I could help you and you are now confident with the current BoxCryptor security design.