According to me if you want to create a 99.5% exploit-free faucet site, then you can implement both ReCaptcha and Honeypot at the same time just so that a faucet claimer will have to pass both the captchas at the same time. And I think there are very few exploits available for Honeypot whic eventually do not work after they update their security modules.
I know its tedious but you can try it out. Good luck.
Recaptcha is a good way to hold spam, over 90% in my experience.
But's it is not enough to hold 100%, in fact no captcha can do it. Every captcha can be broken by a pot.
Adding recaptcha and a custom questions is the best way to hold of spammers.
True, Google's ReCaptcha is constantly updating their captchas so that a bot doesn't recognize the images from a few visits.
This is why majority users prefer ReCaptcha.