I updated the firmware on my router... anyone concerned about this

It will depend on how WPA2 was implemented on your router. In some cases it's part of the WiFi chipset and others do the handshaking in software via an EAP module and supplicant.

Firmware updates could potentially disable the hardware WPA2 support and supply an EAP module in software to do the authentication, and it will depend on the relative performance of the router's CPU if this is feasible.

On the client side, most OSs implement WPAx as a software supplicant, so an upgrade or patch will enable WPA3.

Getting away from pre-shared keys is what this is all about. WPAx Enterprise already does this with external authentication, and why it's still less vulnerable.

Ok
So it sounds like there is not a need to rush and look for a WPA3 router yet

Meh. Your next upgrade in router hardware should come with it. There are really only two differences that will matter to most people in WPA3: per connection TLS with separate keys (and why CPU is a factor on the router), and new NatSec approved (trollolol, hello NSA) cipher suite. The handshaking of WPA3 will be slightly more robust, but only equal to EAP-TLS on WPA2 Enterprise.

If you want to keep WPA2 for a bit longer, look into setting up Enterprise Auth. It's a bit more involved, and requires a RADIUS server running somewhere, but it's rather straightforward and once set up is pretty easily managed.

EAP-TTLS, PEAP and MSCHAP-V2 don't require client certs, but the latter two are weak and the former requires a device profile on Apple hardware to utilize 802.1x over WiFi.

WPA2 isn't easily broken at all.

The problem with WPA2 is weak passwords and single pre-shared keys. The weak passwords can be broken with a dictionary or brute force attack after capturing the handshake(s). However, if your password isn't part of dictionary/brute force sequence it won't be broken.

The common way to break WPA2 is to social engineer it (ask an employee for the password, etc.) or access points with a small keyspace/weak passwords. For example, ATT used to give every customer a 2WIRE router with SSID 2WIRE### and a 10 digit numeric password. These could be broken easily. I know, because I had passwords for every 2WIRE### network in my neighborhood within a week doing the processing on an extra computer. People used to love setting passwords to phone numbers, bad idea. This keyspace effectively limits the password to 7 digit numeric (per area code in a region).

Another way is to retrieve a password from a device, either via malicious software, stealing the hardware and finding a file that has it, pulling it from the saved network list, etc. Other vulnerabilities include WPS implementations.

Don't freak out too much about WPA2-PSK by itself. If you start giving it to guests that come over, etc. or you lose assets that have that information stored, then change it.

Yes, RADIUS is the better way to go. This is my required route for business clients. For home, WPA2-PSK is OK as long as you understand how it can be broken.

It doesn't matter. One of the things we taught in 25/u, and 25/b, was just how unsecure WiFi/Routers in general are. Anyone with a Linux box, can hack any home router/WiFi in under a minute. Regardless of the security measures taken.

Keep your AV, Anti-Malware, Firewall, and firmware up to date, surf with common sense. Best you can do.

^ And this is why, even with the strongest EAP policy and client certs on token cards, that layer 4-7 traffic is still encrypted. WiFi encryption is chaining-block cipher, which offers no forward security, and captured packets can be later decrypted if the key is cracked.

To be honest, WPA3 is not something I'd worry about at the moment. WPA2 isn't as easy to crack as some article make it out to be. It isn't as easy as running a linux distro and hitting the enter key, now WEP and WPS on the other hand. LOL.

WPS pin cracking will reveal your WPA2 password no matter how complex it is. Fortunately most newer modems/routers will just timeout after 5-10 attempts and WPS will get locked until the modem/router is rebooted.

SBS-class and higher equipment never implements WPS. I did mention WPS as a vector in my post.

Yes, there was the reaver attack for WPS, you should apply a patch or upgrade your device if it's Reaver vulnerable. Not all APs allow you to disable WPS fully but you should if you can.

WPS and WPA2 are distinct technologies and not specifically a problem with WPA2.