Per user does not help when doing credential stuffing - the attacker tries known credentials from a leak, it’s not random cracking. Per IP blocks can be circumvented by using a botnet and slowing your attack.
Those things are why I said close to sufficient, not sufficient. For best results you will want some other form of behaviour analysis also. But reCAPTCHA suffers from serious problems too; it’s easy to find turn-key reCAPTCHA-solving services at under $1 per thousand. So reCAPTCHA is a deterrent, but far from inviolate, and for most of the kinds of attacks we’re talking about here it’s not even a particularly severe deterrent. (It would be for comment spam, since the value of each attempted submission is negligible, but for credential stuffing the expected value of each attempt is much higher.)
What we have here is users who don't re-use passwords being inconvenienced to protect those who do. Doubtlessly this is very progressive, as those who reuse passwords have less "has a fucking clue"-privilege. But nonetheless this does not sit right with me.
