You don't actually send 400,000 passwords to the server. You capture legit packets traveling between the access point and an authorized user and then run your brute force algo on their encryption.