During a brute force attack, the attacker searches for a password by trying to use all possible password combinations. This method is also called the exhaustive attack method. For example, a 4-digit password that contains only digits may have a maximum of 10,000 combinations. Therefore, the password can be decrypted after a maximum of 10,000 attempts. In theory, the brute force method can decrypt any password. Attackers, however, are always looking for ways to shorten the time required to decrypt the password. When a WLAN uses WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key as the security policy, attackers can use the brute force method to decrypt the password.
Using a key can defend against brute force attacks on WLANs by prolonging the time needed to decrypt passwords. An AP checks whether the number of key negotiation attempts during WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key authentication exceeds the configured threshold. If the threshold is exceeded, the AP assumes that the user is using the brute force method to decrypt the password and reports an alarm to the AC. If the dynamic blacklist function is enabled, the AP adds the user to the dynamic blacklist and discards all the packets of the user until the dynamic blacklist entry expires.