CAS 4, which isn’t out yet, or in any condition to be used in production, now supports using JCaptcha in order to throttle attempts to discern passwords.
Complete details on enabling it are in the JASIG Wiki. We’ve enabled it by default in the demonstration WAR file.
Essentially, we use an algorithm (rather simple, feel free to enhance it and contribute it back) to determine if you’ve had too many failed attempts in a a certain period of time based on your IP address. We don’t use sessions because obviously you could just get a new session 
This is just one of the many enhancements based on community feedback that we’re looking to include in CAS 4.
