Previously, previously, previously.
I use this command to generate the answers for me:
openssl rand -base64 48
Nice and short, no dependencies because usually openssl is installed on Linix/Mac.
I recently ran into some airline's website that indicated that they wanted to "add two-factor security." What they actually meant was offer security questions, and both the questions -and- the answer options were in drop-down boxes, meaning you had to go with one of the canned answers.
Frankly, if it's going to be something I have to be able to remember without reference (which comes up occasionally) yet somehow be identifying of me, I'd rather pick my own questions and make them in-jokes. It's much more likely that someone can dig up my first pet's name, species, and breed than the answer to some 6th-grade in-joke like "What does Deza say?"
Note that RFC 4122 says "Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example.". It does not make any exception for UUIDv4. Sure, use of UUIDv4 strings for this purpose is very common, but there it is.
I remember being on the phone to reset my password for a site and having to confirm to the human at the other end of the line that my mother's maiden name really was "BQBXJV7XpQxX50HO" or whatever.
You know, of the Long Island BQBXJV7XpQxX50HOs.
Yeah, that's a downside. Or explaining that yes, my best friend in elementary school was "Deep Fried Electric Pickle Jazz".
You all know they'll store that in plain text, right?