Wouldn't it be more effective to just lock an account at x wrong password attempts, locking it for a few hrs and potentially banning the ip's also?
I mean who forgets their password and tries more than 3-4 times to login? After 3-4 times they'd use the forgotten password, so obviously anything above that would be brute force, hence lock and ban.

I believe Yahoo for example does that after 12 attempts, locks the account for 12 hrs. Facebook and Gmail have something similar.
Point is to make the problem go away, or make the brute force attempt not worth it, not add more hassles to actually login in.

Dunno, seems like it would a lot of trouble as opposed to the captcha challenge.