In my opinion a good CAPTCHA is probably better than a one second delay. But it must be a good CAPTCHA (meaning very difficult to solve with a machine but still easy for a human to solve). Even if the machine on the other end can solve your CAPTCHA, it is likely to take much more than a second to solve a good CAPTCHA unless the attacker has extraordinary computing power at their disposal.

That said, you may wish to balance that against the annoyance that CAPTCHAs tend to elicit in users. Of course, these are users who have mistyped their password three times or have forgotten their password, and hopefully that is a minority of users (although no doubt it will happen more than you wish).

Also, things may change if you do exponential (or whatever the correct mathematical term is) delays. So, the first delay is 1 second, the second is 2 seconds, the third is 4 seconds, the next is 8 seconds, etc. That would be much more effective than using 1 second delays only.

And, of course, there’s no reason you can’t do both a CAPTCHA and a delay, which is what I would recommend if you are worried about brute forcing.