So in summary USE A STRONG PASSWORD and you are good to go on WPA2.

Strong passwords can only be brute forced. This is done as people stated earlier by sniffing your handshake with the router. They only get the hash of your password though. The hash is what your password turns into after it is cranked through WPA2's AES-256 encryption. The only way the attacker can then get your real password is by running guess passwords through AES-256 until one of their guesses spits out a matching hash. To try all of the possible guesses would take a mass of supercomputers longer than the age of the universe to do.

SO, the attacker hopes you used a stupid password made up of dictionary words with little or no numbers or symbols. There are websites online that will take the stolen hash and compare it to their massive pre-calculated tables of billions of simple dictionary word based password/hash combos and return the correct password.

But again. Using a strong password kills the dictionary attack and leaves only the trillion year process of brute force. Unless of course mathmaticians can someday solve the P=NP problem and find linear time solutions for these exponential time problems, but that is unlikely.