Stopping bots is a form of security. Like all forms of security it involves trade offs. You need to decide what trade offs are acceptable and work within those limits. I've implemented captcha's on sites for unregistered comments and it worked wonderfully. It probably helps that its a low load site so no one has focused on attacking it, that was a trade off I made.

Maybe for your site requiring a response to an email, clicking a link in an email, sending password by email, whatever is better. CAPTCHA's are breakable but that stop tons and tons of abuse currently. Eventualy the hackers will get smarter, but i'm not going to worry overly about that until it happens.

Normaly security should be layered to acheive the best result. So use some IP filtering, use some smart matches that look for obvious spam (links in the name field, whatever), use a captcha with an email bypass to recieve the respons by email, etc. In the end a determined person will just sit there and register all 20 accoutns if thats what they want, so focus on the general bots that just wander around looking for forms, and figure out ways to fool them more often than you fool the humans visiting your site.