You're understanding is basically correct.
First I'd like to mention that if you know the PSK, or have a copy of the certificate, it's basically game over. Cracking the the session key is cryptographically trivial if you've got that much information. If you don't have the PSK or cert you're left with brute force, as you mentioned.
Certificates are just as "easy" to brute force as PSKs, except that certificates are usually longer. A sufficiently long PSK works just as well however (for practical purposes). Also cracking RC4 is essentially as easy as cracking AES (for the purposes of NGOs)
You are however drastically underestimating the processing power required to crack a decently complex PSK. A PSK should be at least 12 characters long, using lower case, upper case, numbers, and symbols.
If you wanted to search all the possible keys up to 15 characters long (using all the aforementioned characters) you would have to search about 800 septillion keys. If your computer can calculate a billion keys per second it would take about 24 billion years to try them all.
Now after you you get half way through those keys, you're more likely than not that the next key you calculate will be the correct key; thus for the purposes of probable key cracking, you can chop that time in half.
Best get started now, you've going to be there a while. See also, Jeff's Post.
It'd be much easier to simply break into the person's house and beat the information out of them. (I absolutely do not condone, advocate, or suggest physically harming someone or threatening to do so)
WiFi under WEP everyone shares the same encryption key anyway, so broadcasts are no trouble. Under WPA/WPA2 a Group Transient Key (GTK) is given to each endpoint after the initial PTK (session key) is setup. Broadcasts are sent using this GTK so that all endpoints can decrypt it. In infrastructure mode endpoints aren't allowed to talk to each-other directly, they always go through the AP.
Edit:
If you need to generate a good WPA password, here's a random password generator.
If you pick a weak dictionary based passphrase, it can be cracked very quickly (<5 minutes) with an average modern laptop; it does however require the cracker to intercept the 4 way handshake when a WPA is setup.
Edit2:
NGO = Non-Governmental Organization (ie, typical corporations or mad scientists, people without the resources to build or use a top100 supercomputer to break keys, even if they wanted to).
Within WEP, WPA, and WPA2 there is no way to prevent legitimate users who can "hear" the two initial nonces from cracking the PTK. Another layer such as IPSec could be grafted over the top (in fact, IPSec could be used to replace WEP/WPA). WEP and WPA are not meant to insure individual privacy. They are meant to make your wireless network as secure as a wired network (which is not very secure in the first place). While they aren't perfect, they meet this goal most of the time.
Best Answer
The recommended way for doing this is to use a DMZ configuration. You can maintain an open wireless connection to allow guests to easily connect to it. However, there are a few things that you will want to control.
Place the wifi devices on a different subnet and network range than your local network. This will force the computers to route packets through your firewall device. Ensure that the wireless network is physically disconnected from the local network.
(Optional) Implement some sort of radius authentication, maybe using chilispot or something similar. This will allow you some sort of authentication. You can use this to better control the use of your wifi. Guests may be given a username/password login for use during their stay.
Hope this gives you some ideas.