I have read a suggestion that one should pick real (but randomly generated) words because, where it is possible to call the company that maintains your account, an attacker might claim that the recovery answer is a series of random characters, and there is a chance that the employee will accept this and allow the attacker access to the account.
