It is better to pick names with actual words. An attacker can otherwise say that the answer is just a bunch of random characters, and there is a risk that a naïve customer support representative may accept it.
In order to deploy this successfully, the attacker would have to know that you used a random string...how would they know this without having access to the string itself?
Not necessarily - they're given multiple "tries" so they can just pick "a bunch of random letters" as one of their first few choices in hopes that they guessed correctly.