It looks as though no salt data is used when saving encrypted entity data making the stored data susceptible to dictionary attacks.
If you look through the stored demo data, you can see all the demo accounts passwords are the same:
As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and set both passwords to "ofbiz"
You can see that on unix, even though the passwords are the same, the encrypted values are completely different.
For more information see: