For password, I'd suggest not to encrypt/decrypt it. Rather, it is better to store the MD5/hash value of the password in the database and only verify the MD5/hash of any user supplied password against the database. In this way, you never risk exposing the raw password to anyone including the database admin. Also, you don't have to worry about managing the encryption key which is very troublesome.
BTW, Tomcat 5 already have built-in support for storing hashed password if you use its database realm.