If someone is really trying to use brute force, he may have a number of IP addresses to work with. What you could do was constantly increase the delay after each attempt and determine its username. CAPTCHAs can be beaten (to varying degrees), so set the captcha treshold to “slow things down” and then just block it for an hour.
Please note that coarse forcing of this method is incredibly stupid, so I’ll worry more about the attacker getting a copy of the passwords from the database using injection or something else.