I think it depends on how motivated the attackers are.
If we are talking about the account creation form of Facebook, you bet you will need some CAPTCHA. If it's a random form with no obvious benefit of spamming then I'm not sure how many "attempts" will be done to begin with regardless of the protection mechanisms.
In those cases you may be enocuntering bots that "blast spam" and usually the slightest form of barrier stops them because they tend to be made for the common denominator, for example by targeting popular blog/forum software that have a predictable form structure that the bot can be programmed for.
I have seen some basic anti-spam features that are "home-made captcha".
For example it says something like "Pandas are black and:" and you have to enter "white".
Those can sometimes be made in a way that is more user-friendly compared to a "real captcha".
However it takes some careful consideration and knowing your audience to make sure that they understand what to do. Some users may not understand it due to language or cultural differences or due to people being used to the traditional captcha.
You may want to remove the protection mechanism to see if you get any spam at all or not (or at least log and measure success vs failure cases).
Without knowing anything about your use case, personally I'd remove the CAPTCHA and see how many spams come through. Then I'd put a very basic and gentle barrier just enough to remove those spams and gradually increase the barrier if required.
Another thing to consider is that if your users have to login you can have some kind of basic reputation metric so that "known good" users are not subject to the same restrictions.
If we are talking about the account creation form of Facebook, you bet you will need some CAPTCHA. If it's a random form with no obvious benefit of spamming then I'm not sure how many "attempts" will be done to begin with regardless of the protection mechanisms.
In those cases you may be enocuntering bots that "blast spam" and usually the slightest form of barrier stops them because they tend to be made for the common denominator, for example by targeting popular blog/forum software that have a predictable form structure that the bot can be programmed for.
I have seen some basic anti-spam features that are "home-made captcha".
For example it says something like "Pandas are black and:" and you have to enter "white".
Those can sometimes be made in a way that is more user-friendly compared to a "real captcha".
However it takes some careful consideration and knowing your audience to make sure that they understand what to do. Some users may not understand it due to language or cultural differences or due to people being used to the traditional captcha.
You may want to remove the protection mechanism to see if you get any spam at all or not (or at least log and measure success vs failure cases).
Without knowing anything about your use case, personally I'd remove the CAPTCHA and see how many spams come through. Then I'd put a very basic and gentle barrier just enough to remove those spams and gradually increase the barrier if required.
Another thing to consider is that if your users have to login you can have some kind of basic reputation metric so that "known good" users are not subject to the same restrictions.