In -BSERV-3001-, an option was created to turn of CAPTCHA completely. However, in an ideal world it seems you could disable CAPTCHA for specific types of users.

Consider a setup where you have two types of users

1. Users managed by an external system such as Active directory. Active directory already has a policy of locking the account after X attempts, so bitbucket server does not need CAPTCHA to protect against brute force attacks for these users.
2. Users built inside bitbucket server's internal directory (such as Atlassian's recommendation that you always keep an administrator or sysadmin account active in the Bitbucket Server internal directory) You would like CAPTCHA to protect these accounts.

For users in group #1, the CAPTCHA is a huge annoyance. If they get locked out of AD, there is now a two step process

1. Unlock AD account
2. Fill out bitbucket server CAPTCHA

This approach really doesn't scale if every Atlassian tool uses it. A locked password could potentially require you to

1. Unlock in AD
2. CAPTCHA for bitbucket server
3. CAPTCHA for bamboo
4. CAPTCHA for jira
5. ... (at some point you lose the point of having a centralized ID unlock mechanism)

At this point you would be tempted to turn off CAPTCHA entirely, but it's a bad idea because people could then brute force the accounts built in the internal directory.

The ideal solution seems to be the ability to turn off CAPTCHA only for users that are managed by an external user directory - is that possible?