Also a security flaw, you are using a constant IV everywhere, it looks like. You need to use a different IV for each encryption.
I'm not an AES expert, so permit a dumb question: does AES decryption require knowledge of the IV used to encrypt a given ciphertext?
With the only information persisting between sessions being the user's passphrase, that would seem to imply storing the IV for each encryption?