If there's a security question I use a string of random characters as the answer and don't record it (which effectively disables the feature on most sites).

You're right about email being central to authentication on the Web. This makes it important to protect.