I dunno, I wouldn't discount this entirely. An advanced targeted attack could likely profile a user for their "likes" in a random string (e.g., favorite letters appearing often), but in the case of anonymous, brute-force-style attacks, "I just click things and scroll around until I see something I like" is probably really useful. It could, for example, protect against a somewhat predictable generator, since you won't know "the user always uses the first password, and the first password is always seeded incorrectly", or some other specific implementation flaw.