> With that, the site gives away whether the account has a low entropy password or not.

Sure, why not? Way more than half of passwords are low-entropy, so that doesn't meaningfully help them focus attacks.

And they still have to keep solving captchas to make those attempts.