Specifications : Defined in RFC 2898 from RSA Labs (PKCS#5) http://www.ietf.org/rfc/rfc2898.txt
See this example : http://stackoverflow.com/questions/992019/java-256-bit-aes-password-based-encryption
Password security management : NEVER save a clear password anyware. We save the password hash salted via PBE mechanism. Cf this thread by an expert : http://www.developpez.net/forums/d925885/java/general-java/apis/securite/utiliser-lalgorithme-pbe-aes-sha/ PBE explanation : http://en.wikipedia.org/wiki/PBKDF2 Oracle Doc : http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx Good practices :
Check this : http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#MessageDigest
Don't forget that key length usage is restricted by default on EVERY JDK by default http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html http://www.bouncycastle.org/wiki/display/JA1/Frequently+Asked+Questions
http://stackoverflow.com/questions/18142745/how-do-i-generate-a-salt-in-java-for-salted-hash
NIST recommendations : http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf