It turns out that the router is so old that it needs a firmware update to use WPS even though it has a button for it. It's still on stock firmware, so I can't use WPS based attacks. I captured the handshake and tried using the rockyou.txt with Kali Linux for a dictionary attack, but the password wasn't in there. I uploaded the .cap file to darkircop, but I'm not expecting any results.
My only hope is to wait for a severe thunderstorm that happens to coincide with a time that my roommate isn't here. If that ever happens, I'll flip the breakers to reset any clocks if he has any, then reset the router, log into it using default password, update firmware to enable WPS, and wait. Hopefully he'll blame the thunderstorm for knocking out his electronics, and he'll set up his router accordingly. However, since WPS is now enabled, I can hack into it at any time.
Either that or just reset his router at any time and disable the password completely. Hopefully his devices will auto connect as long as the SSID is the same and there is no password. It's pretty risky though.
Anyway, thanks for your help everyone.