Also a security flaw, you are using a constant IV everywhere, it looks like. You need to use a different IV for each encryption.
I'm not an AES expert, so permit a dumb question: does AES decryption require knowledge of the IV used to encrypt a given ciphertext?
With the only information persisting between sessions being the user's passphrase, that would seem to imply storing the IV for each encryption?
An IV is always transmitted before the ciphertext (or stored, in this case) and is necessary for decryption. The IV's purpose is to start the encryption from a random state, so that encrypting the same plaintext twice does not result in the same ciphertext. This prevents comparing two records that have the same initial segment.