Using RADIUS or captive portal. WPA Enterprise allows you to use a server for the person to enter a user name & password, that's mainly with RADIUS server. While captive portal can do the same thing but instead usually redirect the user to a web site that requires the person to enter a user name & password. Of course both requires expensive router or third-party firmware.
MAC address filtering might keep out the usual people, so it's not a bad idea to have enable because share keys, well like the name apply can be compromised easily.
Reason why MAC address filtering doesn't work against a hacker is because it's to easy to sniff and find out, then spoof (changing one's own MAC address).
Share key like WEP 64 or 128Bit are to easy to crack, WPA or WPA2 is the only strongest recommended for home user, it's only weakness is dictionary attack. That's why you use password that are complicated and not in the dictionary or commonly use password but it's weakness is simple, it is a share key and anyone who knows it can leak it.
There is no method you prevent a person from sharing his or her password unless you force a strict policy that will have the user change password all the time.