> When an organisation asks me to set a recovery question, I generate a 32 character passphrase
This is not actually the best way. For some services eventually you get to a person in a call center who can actually check those security questions to perform a password reset (when all else fails). Having a random string opens the door for someone to claim "oh I think I put something random in there, I really forgot what" and it's likely they'll pull it off. Especially if the hacker knows (somehow[0]) that you put a random string there and it's exactly 32 characters long.
Just go with a plausible name that's still not straightforward to guess.
[0] You may blog about it... Or discuss it loudly and is overheard.
> In your scenario the service is already broken and the door is wide open no matter what you choose as the recovery answer.
You'd be safer with this assumption anyway. But again, after telling the whole internet you're using random 32 character strings for that it's likely that you just lowered the bar a little for social engineering. It is easier than you think to call a call center and convince someone to perform a password reset or a SIM porting (for hijacking). At least don't give them another plausible avenue.
This is not actually the best way. For some services eventually you get to a person in a call center who can actually check those security questions to perform a password reset (when all else fails). Having a random string opens the door for someone to claim "oh I think I put something random in there, I really forgot what" and it's likely they'll pull it off. Especially if the hacker knows (somehow[0]) that you put a random string there and it's exactly 32 characters long.
Just go with a plausible name that's still not straightforward to guess.
[0] You may blog about it... Or discuss it loudly and is overheard.