Captcha is actually pretty easy to largely by pass. People will just hire indians or chinese people to do them all day. Or they will make pop up spam that requests people fill in the captcha to see pr0n. Or they will make their botnet with a million windows users on it replace the screen lock with a screen that makes them type in five different captchas before they can get back to their desktop. Captcha are good for stopping the average spammer / whatever, but if you ask a security pro about using captcha for any critical security system they will lol at it. They would probably lol at using passwords too though, and suggest that zero knowledge authentication be used instead. http://www.sitepoint.com/avoid-captchas/