CAPTCHA is created to separate humans and automated programs apart. CAPTCHA must be readable by human, and not readable by computer. Key phrase - "readable by human". Remember - computer will not start complain if it can't read the CAPTCHA. People will complain every time they'll see bad-readable CAPTCHA. What is more important - people's mood or absolute unbreakability?
One of the most amazing abilities of human brain is an ability to separate signal from noise, object from background, all we call abstract thinking. So, when you trying to make CAPTCHA unbreakable, try to use the way, when human actions to separate the needed information are easy and not complex.
Good idea is to take a word from vocabulary as a code instead of random letters and numbers sequence: even if one letter is hard to read - understanding of whole word will help to type it correctly. But this is also a bad idea, I'll explain below why.
Universality.
Who are the people, who will see your CAPTCHA? What is their native culture, what is their native language? How can you be sure that your CAPTCHA is clear and kind to really ALL humans? Good CAPTCHA uses only symbols which are at least intuitively clear and understandable to every human. Well, to all humans, who can see your CAPTCHA - so, who has a computer, knows how to use it (generally), knows what is internet. This admission gives the key of how to build code: no signs but keys on a keyboard (of course - English alphabet only), numbers (better). Imagine that CAPTCHA requires you to click in some special area in a picture, and this explanation of this is written in foreign to you language. Site visitor, the user of your CAPTCHA is the biggest value for you, not the risk of spam messages.
So, the bad ideas are: showing some photos, say, animals and asking to type it's name. No sense to show someone's photo and ask the name of the celebrity. No sense to draw some shape and ask to click in specified area - you can't be sure that user really can read and understand this (you can say that such limitation is far-fetched, but this is not the only reason not to use such principle). That's why the idea of vocabulary words as codes may now work (not the last issue, read below).
And don't forget that people are not only speak different languages, but think in different environment, live in different cultures. CAPTCHA designer should undoubtedly keep this in mind to build good CAPTCHA.
Usually the problem, that is solved by implementing CAPTCHA is not too serious, and the budget very rarely can allow to have one more dedicated server just to generate CAPTCHA. If your CAPTCHA takes too much CPU time or memory, it's implementation will increase whole server load much. Of course, all depends on every specific situation, but you should keep it in mind. Some very nice ideas of blurring, noising, distortion can require too much, and making in assembler is too expensive and non-flexible. Making it in Java can be unreasonable because of speed, in C because of crossplatrom issues and cost, etc. Well, good solution is always a compromise.
Singularity.
This means that every CAPTCHA image must be unique or at least very rare. Because the idea of CAPTCHA like any other automated system is to make something for some limited time that will work for unlimited time. If you will decide to make a lot of pictures manually and show random one - all that hacker need is to recognize it manually. Recognition is always faster then designing, so the challenge will be - how fast developer will make new pictures and how fast hacker will add it to his database.
So, the key is to create some blackbox, that will output an infinite amount of unique pictures, based on some finite letter set, fonts, random parameters and values, and other - filters, distortions, etc. It's not hard, hard is to make it corresponding all other aspect listed here. But for sure, making some lazy tricks, like combining some precreated images in html to get "unique" code is bad idea.
Carefulness
Sometimes, developers forgets about other sides of CAPTCHA building and implementing - I'm talking about the all other things besides the image. Generating images is, of course, the main and most important part, but there is old proverb - system is protected as hard as it's most unprotected component. If you store the compare result in session, always remember, that session ID is known to potential hacker. If you use hidden fields - always remember, that it's possible to view it. ALL data that is transferred to user can be identified, stored, and falsificated by potential hacker. So, when you see, that your CAPTCHA don't work try to think, maybe CAPTCHA images are good, and the problem is somewhere else? And, correspondingly, when you developing CAPTCHA try to make sure that images are the most unprotected element in the system.
Some CAPTCHAs which made by not too smart developers are amazing. It shows that developers are either ignoramus in CAPTCHAs or just careless. How else can you explain CAPCTHAs where BLACK colored code is written OVER the RED noise? Yes, I've seen such one! Is it hard to separate black areas from red? Such examples (not so heavy stupidity) may be found in different places, that gives the key - spend at least 10% of time trying to solve the back task - recognizing generated picture, this gives an abyss of understanding the good CAPTCHA.
Understanding.
This is the stage which comes right after previous one. OK, you have set the task to crack the CAPTCHA, what problems can you meet? That's right - defining what is signal and what is noise, separating, breaking it to single pieces (letters), recognizing each one, compiling the result. Which stage is most hard to implement? Do you really need to make obstacles for each stage? (And is it possible to make it keeping harmony with all other CAPTCHA issues listed above?). You don't need to be a CAPTCHA expert to assess this - you just need to examine leading CAPTCHAs, CAPTCHAs, which made by top world's companies - by Google, by Hotmail, by Yahoo.
Turning back to getting code from vocabulary - what if hacker will define how many letters has the word, and recognized 80% letters - how many vocabulary words will match? I think - not too much, say one. Or two.
Assessment
To make appropriate CAPTCHA it's useful to understand, that every CAPTCHA can be broken, only budget defines will it be broken or not. The last price is to hire people in some country with cheap manpower, buy cheap PCs, and internet connection. If will cost, near 150-200$/month, or near 1$/hour of unskilled work. Hour gives 60 minutes, each minute allows to recognize at least 3-5 images. So, price is near 0.003 USD per picture... Of course, you can use IP checking, and other additional features, but it always be a question of price. So, you need to understand how much does your CAPTCHA cost, how much can cost it's breaking, and how you assess the thing you protect with this CAPTCHA. And even cheaper - you of course heard about the cracking CAPTCHA using access to pornoservers?
We collected some thoughts and materials about CAPCTHA. In case if you need.