In order to deploy this successfully, the attacker would have to know that you used a random string...how would they know this without having access to the string itself?
Not necessarily - they're given multiple "tries" so they can just pick "a bunch of random letters" as one of their first few choices in hopes that they guessed correctly.