Indeed. It's a balance. Three failures is way too hard. Ours is a fairly simple captcha -- 5 letters/numbers, and our logs show that somewhere around 94% of attempts are correct, and we see few abandoned signups during the captcha answering phase. We could probably improve that further, though.
The primary defense against OCR is to make the segmentation attack hard -- pushing the characters together somewhat. With more tweaking we could probably get closer to a sweet spot of just enough overlap. Not even all of the characters would have to overlap to be effective.
But it's a moot point, since anyone who really wants to defeat captchas en masse, can just go mechanical turk, or even better just setup their own 'porn/warez' sites etc to show your captchas and have random internet users solve it for them.
There's no defense against that... Which makes captchas just a big irritating bag of fail.
I think of it as similar to a home security system. Of course there are ways around it. Chances are that the effort involved means that a burglar will go rob a neighbor's house instead though.
Perhaps captchas make more sense in capital intensive industries with clear avenues for abuse. In the case of SpiderOak, we'd prefer to avoid making the free backup accounts an attractive prospect for warez distribution. YMMV.
The primary defense against OCR is to make the segmentation attack hard -- pushing the characters together somewhat. With more tweaking we could probably get closer to a sweet spot of just enough overlap. Not even all of the characters would have to overlap to be effective.