From DD-WRT Wiki
All PSK protection schemes are vulnerable to wpacracker.com and other types of brute force attacks. There are ways to lessen your vulnerability, but the best defense is to use "enterprise" protection rather than pre-shared keys. I am new to dd-wrt, but working through the documentation to provide guidance on doing this.
one SSID for open use as a friendly hot spot, with appropriate rate filtering, or for use with PSK
one SSID for use with WPA2/Enterprise/Radius
iptable rules to ensure the LAN can get to WiFi, but not the other way around
ssh, openvpn and voip access from the WAN
If there is interest, I will post my results. If there is anything extra that someone wants, let me know, I might want it too.
My thanks to everyone who has made DD-WRT such an incredible resource.