This. Security questions are almost always visible to humans in plaintext, and those humans are expected to be the judge of whether the security question was answered correctly.
I used to do random characters, but have switch to a string of random dictionary words. Still not perfect (since "a string of random words" could potentially be accepted as a valid answer), but I feel like having it be human-readable makes it less prone to that kind of fuzzing.
I used to do random characters, but have switch to a string of random dictionary words. Still not perfect (since "a string of random words" could potentially be accepted as a valid answer), but I feel like having it be human-readable makes it less prone to that kind of fuzzing.