[musage]

But the attacker kind of has to know the answer is gibberish from the bat, otherwise they'd either guess or pretend to not remember a real answer, which is noticeably different from saying something like "oh, that's 30 random characters but I don't have the note with me right now".

[cortesoft]

Here is how it would go... attacker gives a real answer, support says no that isn't it. Attacker goes, "oh, sometimes I give fake answers for the question... is it a really long string of characters?"

Or they could go through a few things like that, always giving the excuse that they give false answers until they stumble on the right one.

[tonyedgecombe]

But we already know @sersi just mashes the keyboard for those questions :)

[sersi]

Sure, but I doubt it would be easy to find my identity from my hn account name.