I just noticed this is now public: <http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/> Short summary: kwallet uses Blowfish to encrypt its password store, and despite an attempt at implementing CBC mode (in a file called cbc.cc no less), it's actually ECB mode. UTF-16 encoding combined with Blowfish's 64 bit block size means there are just four password characters per block. Encryption is convergent as well. This may enable recovery of passwords through codebook attacks. Should we treat this as a minor vulnerability? http://security.stackexchange.com/a/44010/32167 then fill it with zeros; then XOR all these zeros with the data to encrypt (which won't change the data...); then proceed to encrypt each block independently of each other. This is, indeed, ECB mode, not CBC. It is quite obvious that this is a programming error ... This implies that the random IV which was computed does nothing here; it is encrypted by itself but does not impact any other byte in the whole file.