Well, it still doesn't let me in without awkward measures today.
Thank you for the suggestion of using 'anonymous' mode; at least that seems to work today. I have had another site ban that too (and their answer was also use Chrome -- until they banned Chrome for a while due to a security hole a short time later, then they just said to wait for their web people to get it sorted out or for the version of Chrome that Google had promised would fix the hole for which they banned it), so I'm not holding much hope it will continue to work for very long.
I loathe it not just on principle of having to pass some stupid Turing test (that by the time I see it the first time already has services online to defeat it!), but also on the grounds that it seems like another security sham -- like using Unm3Merab! p@5swerdZ (I dropped the 'e' from the end of 'unmemerable' because most systems limit you to 10 characters) that are restricted to a few characters (so easy to brute-force) instead of a reasonably long passphrase (say up to 128 characters) that could be remembered by the users without writing it down somewhere (and would be a lot harder to brute-force).
I don't feel better having my login information and all this tracing of me through third parties. It just seems lazy to me to deal with it this way, and leaves too much exposed.
I have for years hosted things for friends or business acquaintances. I log all bad attempts to login into what few services I have visible to the outside, and have a daemon that monitors the log. If an IP address makes a number of failed attempts to authenticate, it's blacklisted -- all further traffic from it is dropped summarily for a period of time (and inbound traffic during the blacklist interval restarts the interval and adds more time). My services don't need to keep track of this (so for example I can have a usual dumb webserver that can't keep track of a client even any longer than a single TCP session is open), I don't have to share login credentials or demand tracking from anybody using my stuff, and due to other minor configuration settings (such as restricting new sessions per IP address to some number per second), even though the blacklisting is handled by an additional program, the response time is usually quick enough to only allow a small handful of connections before a response can be committed to the firewall. Oh, and I'm on a gigabit connection from one ISP and 50mb as a backup from another, with static IP addresses on both. While I'm sure I'm still susceptible to DDOS or similar, I have yet to come up with a way of handling that short of intimate cooperation with an upstream ISP, and nobody is willing to do that, at least for the amount I'm willing to pay for connectivity (and maybe not at all these days).
In 20+ years with full-time online dedicated systems and static outside IP addresses, I have not had a successful intrusion, but I have had millions of attempts (some systems do try to have hundreds of connections open, but restricting that at the firewall level to a reasonable number per second per IPA is easy -- and modern webservers/webclients don't suffer since they can pipeline requests on a single TCP session). So I do have some sympathy for the problem; just not for the captcha based 'solution' (or any third-party solution I have seen implemented to date).
I have also had my login credentials for multiple services get out onto the 'dark web' (not by me). In most of these cases, I consider it incompetence by the people who were hosting the service (and since I use different passwords everywhere, the damage to me is limited). But I do lose faith in such services when I find my information 'out there'. In at least a couple cases, the services that 'leaked' my credentials for themselves were also 'protected' by some 'recaptcha' like junk and they still were cracked.
There are places for such things as recaptcha, however. One place I would say I think things like recaptcha might be a good idea is on a public forum -- asking for one to be solved before allowing a 'guest' user to post (or if you allow users to 'stay logged in' and don't ask them to reauthenticate when their IP address changes for example, but that's just being annoying to those of us who do not 'stay logged in', in order to support laziness of those who do use such things).
