Not just easier, but actually more safe. The person on the phone isn't usually aware about your security "paranoia" and is being evaluated on how much customers he/she has been able to help.
As such most helpdesk employees will accept the answer "Oh I forgot, I do remember I put some random characters in there"... and your random password end up not helping you after all.
As noted in another comment, the attack on this of "oh I forgot, it's random characters" requires the attacker to know you do this. So if you do this, don't go disclosing it on public websites.
As another commenter mentioned, a help desk rep once gave the clue "it's really weird" over the phone, which would easily indicate to an attack to try the mash the keyboard line.
The random character thing isn't great for this use, it seems, as a result.
If support reps give enough information away over the phone to let someone guess a security question, there is nothing you can do to protect yourself from them.
The search space for city names is tragically finite.
There are ~35,000 cities and towns in the U.S., but if you start weighting those by populating (and birthing hospitals and centres), you're going to reduce that count considerably.
The overall risk runs a few different ways. One is that you yourself will bee at risk, another is that there will be a high number of compromises.
There are about 300 in the U.S. of over 100k population (corollary: the other 34,700 locations have fewer than 100k people each, or are at most 10% of the population). A 1/300 chance of cracking a security question on any given transaction is pretty good odds. Particularly if the crack is then reusable.
Another 10% of the U.S. population (roughly) lives in the 10 largest cities alone. That's a 1% likely success rate based on just ten values.
The point being that "legitimate sounding but fabricated" may still not be a particularly good option.
I don't even try to make it sound legitimate. e.g. How many sisters do you have? Anyone guessing will be trying a number between 0 and 5. I use a semi-random word, colour or car I associate with my sister(s), eg. Audi. When asked for a number no one guessing will respond with a car make.
You don't have to answer the challenge with a 100% truthful, legitimate, accurate response, because the point is to NOT provide an answer that could be guessed by framing the response in truth, or even reality. So long as you've picked one that matches with what you've preseeded, use a random word/phrase as your response.
q: What is the name of your favorite teacher?
a: bumble bees in the desert
Yeah, but the key is you need to be able to remember it. Sure, you could store it somewhere, but often times the reason you are needing to use it is because you don't have access to your normal system (computer, phone) that you use to login with.
I don't recall the last time I used secret answers to get into anything. I don't perceive it as a valid way to get into an account. But the option cannot be refused... so to me it's just a security risk.
I've had to use security answers because I was locked out by systems that detected I was using an ip from a different country and so refused my correct password and were using the security questions as a kind of extra authentication.
The amount of stupidity needed to build such a system is staggering.
I believe the general recommendation I saw was to type something in lines of "never accept this answer - it's probably someone trying to impersonate me | 2DXSDGREDV@#!" (although it's probably hard to do so if the maximum acceptable length is too short)
City you were born? Just pick any (random/unrelated) city instead of 2DXSDGREDV@#!
It's easier if you have to go through a person (which is usually forced to go through a script) also easier on the phone