reCAPTCHA uses two keys for CAPTCHA - one that is known and one that is unknown. It is never known to the end user which key is the known key. The reason for this is that reCAPTCHA is doing two things: (1) providing CAPTCHA and (2) trying to improve Google's OCR recognition for book scanning.
If you key in the known key incorrectly, it will always return an error. But if you enter the known key correctly, you could enter gibberish for the second and still receive a valid response.
So the question first needs to be, what is the user putting in that they think is wrong and that is letting them through? Is it partially correct? If the user is putting in complete gibberish for everything and not receiving an error, then we could look into what the problem might be. But if your client is trying to see at what level they can break the CAPTCHA on purpose and is putting in partially correct responses, then it's just a matter of the client not understanding how the CAPTCHA works and thinking it is broken when it is not.
As for the password generation, the plugin's default is to generate a random password and email it to the user. It only allows user chosen passwords if you add a password field.
So to get back to that, just delete the password field in the fields tab. (If you had also changed the email content in the emails tab, you will need to make sure that you are sending the password in the initial email.)