I guess we disagree over the meaning of the term 'captcha' then. Besides that, it is also pretty trivial to spoof a MAC address.

> For Dropbox, it's probably better to reduce the friction in the sign up flow than to prevent against these kinds of edge cases.

Agreed. But there are smarter ways to do it. Take Gmail for example - it normally doesn't require you to pass a captcha. But if you fail a certain number of login attempts, it does. How hard can it be to start displaying a captcha after, say, 5 accounts get registered within 24 hours for the same IP address?