TradeHill seem to use a captcha to prevent logins being bruce forced. It seems a bit of an odd approach to me ... wouldn't rate throttling on the server be a better solution that wouldn't inconvenience the users every time they log in?