>>3
If you don't want to use htpassword, you're stuck with the first suggestion:
People will need to submit to you their (encoded) tripcode. For example, mine is "!hinhT6kz2E". You put that in NoCap, and perhaps put their normal nick and/or email in the comment. Now only people who know their tripcode can post. People without a valid tripcode cannot, although they can still view the board.
You could make a small second wakaba/kareha board where people can post their requests for registration/validation. Go through that board every couple of days, and copy the tripcodes straight from there. Or have them email the tripcode to you instead.
Personally, I think wakaba's a bad fit for this, but if you're determined to do it, this can be done with a few minutes of work.
I forgot to mention:
What NoCap does is allow people with specific tripcodes to post without entering a captcha.
By enabling captcha, you're requiring everyone not in the NoCap list to enter a captcha. But if you delete captcha.pl, they can't post, since they're not given a captcha when they visit the page.
Ergo, only people on the NoCap list can post.