But of course you could run it ten times and pick one of them. Or modify the instant answer to return ten or twenty. Not ideal or optimal, but there it is.
That hardly helps at all. Now instead of knowing your exact password, your attacker knows that your password is one of these 10-20 entries, and it's easy to just try them all.