This is also an attack vector that the article mentions. If you have logic on the client-side that can tell if the captcha is correct it lets an attacker brute-force it. (Basically as far as I see you can't send the hashes to the client without opening up this vector.)
True, I thought about scrypt and salts to slow down a brute force but for a 5 letter captcha I guess the search space would be too small no matter what you did.
