You could argue why not give each accessiong IP 1 try on successful login before requiring captcha.
And btw. did you fix Fileserve upload for your users already? I assume you are a developer of sBorg by the look of your avatar/sig). BloodSucker was quite furious earlier for not being able to upload with your tool.
Yes, thats another option. 1 or 2 tries per IP, then require captcha to try again. That would protect against bruteforce attacks and avoid captcha for regular users with valid IPs.
I can code sBorg to upload directly to account without loggin in first, but this does not solve the problem of downloading as users still require to login before they can download.
If fileserve had smt like rapidshare for downloading like:
Code:
http://usernam:password@www.fileserve.com/file/randomID/filename.rar
Lets see what RickyFS thinks about this...