I like the use of MD5 hashes to make it stateless, you could also test on the client side before sending the form, its so annoying for the full form to be rejected because I couldn't guess the captcha.
This is also an attack vector that the article mentions. If you have logic on the client-side that can tell if the captcha is correct it lets an attacker brute-force it. (Basically as far as I see you can't send the hashes to the client without opening up this vector.)
True, I thought about scrypt and salts to slow down a brute force but for a 5 letter captcha I guess the search space would be too small no matter what you did.
