Comment 7 for bug 1004845

"I don't think [insert arbitrary misuse of crypto here] is horrifically insecure here"

This is wrong-headed thinking. If I had a dollar for every time a programmer said that and was wrong, I would be rich.

Strong crypto is only strong if you follow the instructions *exactly*. Everything else is snake oil.

"the key + IV-reuse is minimal"

The same key and IV are reused for every single password, so you get this:

>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("a").encode('hex')
'6a'
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("ab").encode('hex')
'6af9'
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("ab").encode('hex')
'6af9'
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc").encode('hex')
'6af9bb'
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc").encode('hex')
'6af9bb'
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc").encode('hex')
'6af9bb'
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc1").encode('hex')
'6af9bb63'
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc2").encode('hex')
'6af9bb60'
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc3").encode('hex')
'6af9bb61'
>>> AES.new("0123456789abcdef", AES.MODE_CFB, "\0"*16).encrypt("abc4").encode('hex')
'6af9bb66'

Notice a pattern in the ciphertexts?