How to create random readable strings for .Net application

Why would I want to be random?

If you need a random string, I assume you know why you're here. However there are some common uses for random strings I want to list out for the Google juice factor:

1. CAPTCHA codes when not using something cool like reCAPTCHA
2. Email verification codes.
3. Nonce values for challenge/response.
4. salt values to increase entropy on password hashes.
5. Registration codes.

How should I generate them in .Net?

There is a simple answer, really. In .Net you can just make a call to RNGCryptoServiceProvider's GetNonZeroBytes method and convert those bytes to characters.

var random = new byte[16];           // whatever size you want
var rng = new RNGCryptoServiceProvider();
rng.GetNonZeroBytes(random);         // Fill with non-zero random bytes

return Convert.ToBase64String(random);  // convert to a string.

If you have the MVC 4 package available, you can use the convenient Crypto.GenerateSalt method as a shorthand as it essentially does the above code.

This, of course, limits the returned string to the Base-64 characters.

When should I care about the contents?

In general, you don't care about the contents of the random string. The one generated by logic above is pretty useful as it is a wide set of all-ASCII characters that will not get you in trouble when crossing code-pages.

The biggest downside of this approach is that the string is only using the a 64 character set, so you're excluding a lot of other possible characters, but in most applications that isn't a problem.  In fact, quite the opposite is true. In many cases, we might want to avoid specific characters like the + character  because this might be used in a URL In other cases, you might want to generate a fuller character set (or a specific set  like an all-emoji string).

A more common need, though, would be if you need to put something on screen for a user to type (such as a registration code) that should not be easy to mistake characters.  In some fonts, the characters 1, l and I or 0, o and 0 are very easily mistaken. For such cases, you can use a function like the following to generate a reasonably readable string

namespace Silly
{
    using System.Security.Cryptography;

    public static partial class Helpers
    {
        public static string RandomReadableString(int length)
        {
            return "23456789ABCDEFGHJKMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz".RandomString(length);
        }

        public static string RandomString(this string characterSet, int length)
        {
            var rng = new RNGCryptoServiceProvider();
            var random = new byte[length];
            rng.GetNonZeroBytes(random);

            var buffer = new char[length];
            var usableChars = characterSet.ToCharArray();
            var usableLength = usableChars.Length;

            for (int index = 0; index < length; index++)
            {
                buffer[index] = usableChars[random[index] % usableLength];
            }

            return new string(buffer);
        }
    }
}

You can call the second function against any string of characters. For example I'm using the RandomReadableString method to generate email confirmation codes that can easily be typed if needed.

Boring! Spice it up...

For even more fun, here's some Emoji sequences that can be used for eye charts or stupid pet code tricks.

// Emoji fun
// random weather "☀☁☂☃"
// random finger pointers "☜☝☞☟"
// random zodiac "♈♉♊♋♌♍♎♏♐♑♒♓"
// random chess pieces "♔♕♖♗♘♙♚♛♜♝♞♟"
// random music notation "♩♪♫♬♭♯"
// random trigrams "☰☱☲☳☴☵☶☷"
// random planets "♃♄♅♆♇"