I'm hazy on the initial setup of AES, but I understand how the algorithm itself works once we start rounds 2-14 (subBytes, shiftRows, mixColumns, addRounKey), depending on the size of the key.
What I don't follow is the initial password and setup. Do we pick a password of any length, or we create our own 128, 192, or 256 bit password, that is then used throughout the application?
for instance, in this example of using AES with cryptojs:
var myString = "attack at dawn";
var myPassword = "superSecretPassword";
var encrypted = CryptoJS.AES.encrypt(myString, myPassword);
is the myPassword variable run through a hash to create a 128, 192, or 256 bit key? For best security, should we make myPassword 256 bits already?
Your confusion is 100% due to a bad API in crypto-js.
In the real world, encryption is done with keys, not passwords. If one has only a password, then they should convert it to a key using a Password Based Key Derivation Function, such as pbkdf2, scrypt, bcrypt, or argon2.
In crypto-js, encryption can be done with either keys or passwords (two different API calls). The password base encryption in crypto-is is non-standard, and uses an insecure Password Based Key Derivation Function.
Upshot: do not use the crypto-js password based encryption API. Instead, use the API that takes a key and IV, where the key is either 128-bit, 192-bit, or 256-bit.
References:
AES decryption with password using CryptoJS returns a blank value see answer from Artjom B.
Top 10 Developer Crypto Mistakes see section 6