Such answers are weak when verified by customer support. An attcker can try saying oh I just entered a bunch of random letters, I didn’t think I’d need to remember it and an unsuspecting non—security-expert customer service rep confirms the answer as accurate.
Then my mother maiden name is "I use a password manager: match this EXACT random value [adequately long random value]".
Fortunately, I'm rarely seeing this pattern nowadays.
How big do you think the DB field is for these password recovery questions? Do you think that they are blobs? Having seen databases with these sorts of fields, the ones at my company were more like varchar[25] than blob.
As long as I trim the input string to 25, that's totally fine: a character match on the first 25 characters of your mother's maiden name is perfectly acceptable, either over the phone or in an automated way, as proof of identity. But it surely isn't going to work with these super long messages that GP was trying to fit into the DB.
Sad part is they're stored often plain text and agents can read and even sometimes use their own judgement so a little social engineering acting like a confused older customer could be an easy bypass - especially if the agent sees it as a keyboard mash.
I till use random security questions though, better than the alternative.
One time I was trying to set up a security question and it kept saying the info doesn't match their records and it seemed they were actually validating against public records. How friggin stupid.