Overview#CAPTCHA is really an Abbreviation for Completely Automated Public Turing test to tell Computers and Humans Apart
There is no doubt that this is a real threat, however there are ways of dealing with it seamlessly that don't require a CAPTCHA, specifically properly designed Server-Side Login throttling schemes.
Know that CAPTCHA implementations are not created alike; they often aren't human-solvable, most of them are actually ineffective against bots, all of them are ineffective against cheap third-world labor (according to OWASP, the current sweatshop rate is $12 per 500 tests), and some implementations may be technically illegal in some countries (see OWASP Guide To Authentication).
We Personally, find CAPTCHA annoying (Poor User Experience), and use them only as a last resort when a user has failed to login a number of times and Server-Side Login throttling schemes are maxxed out. This will happen rarely enough to be acceptable, and it strengthens the system as a whole.
A few takeaways:
- 3 people looking at the same CAPTCHA agreed on the reading only 71% of the time.
- Average time to solve a text-based CAPTCHA was 9.8 seconds.
- 3 people listening to the same audio CAPTCHA came up with the same value only 31.2% of the time.
- Average time to solve an audio CAPTCHA was 28.4 seconds.
- Time to solve was even longer for Non-native English speakers