You are doing it wrong (insecurely).
-
Do not encrypt the passwords on the client, send them in plain text to the server over HTTPS with a POST request.
-
Do not encrypt the passwords on the server, use a password secure hashing method (see my comment) that includes a salt and and iteration such that the time to hash is ~100ms. You will have no access to the original password, that is good because the attacker will not either. Yes there will be attackers, they will gain admin access, plan on it.
-
For password reset send a time-limited reset token to the user to use in creating a new password.
Note: Do use 2-factor authentication on the server and severly limit the number of people who have access.
solved encryption using AES in android, and decryption in Java [closed]