Crypto Algorithm Question - Quick question about AES

Hello,
When people talk about the key length of AES (128, 192, 256, etc.), is this the same as the length of the shared secret? If this is true, I am confused as to how you can have 128-bit (or more) strength AES encryption if you use a shared secret of only eight characters, like "password"?

Any info is appreciated!

its considered bad form to use short ascii as the key. In most langauges, ascii words don't use the high order bit and have fairly restricted range.

The normal model is to take the passphrase and process it through SHA or other cryptographic hash to get the key.
Usually these have a salt phrase, google HMAC

Since AES can only deal with a key of a certain size, a user password will be expanded to a better password in a way fish mentioned, or, worst case, simply padded to an appropriate length.

I don't think AES has any known "bad keys" that are really weak, but I would expect that any constant padding is a bad idea.

its not hard to use a HMAC, and it sure feels a lot safer.

I wasn't thinking of weak keys (of which AES has none), but rather the fact that using the user's ASCII key directly (the only way to do so would be to pad) is kind of ugly. Like you say, HMAC is so easy to use its hard to justify not using it.

Also worth considering that while encrypting with a 128 bit key gives 128 bit strength and can therefore be considered uncrackable with current technology your average attacker won't try to crack it directly but will try to guess your passphrase instead. If you chose "password" as your passphrase it won't take him very long and will waste all the effort of the clever people who designed AES.