You need to generate random bytes using RNGCryptoServiceProvider and append only the valid ones to the returned string:

const string valid = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";

static string GetRandomString(int length)
{
    string s = "";
    using (RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider())
    {
        while (s.Length != length)
        {
            byte[] oneByte = new byte[1];
            provider.GetBytes(oneByte);
            char character = (char)oneByte[0];
            if (valid.Contains(character))
            {
                s += character;
            }
        }
    }
    return s;
}

You could also use modulo in order to not skip the invalid byte values but that the chances for each character won't be even.

see https://bitbucket.org/merarischroeder/number-range-with-no-bias/

I'm sure I have answered this one before with a secure implementation, no bias, and good performance. If so, please comment.

Looking at Tamir's answer, I thought it would be better to use the modulus operation, but trim off the incomplete remainder of byte values. I'm also writing this answer now (possibly again), because I need to reference this solution to a peer.

Approach 1

• Support for ranges that are no bigger than 0-255. But it can fall back to approach 2 (which is a little slower)
• One byte is always used per value.
• Truncate the incomplete remainder if (buffer[i] >= exclusiveLimit)
• Modulate the desired range size. After truncation beyond the exclusiveLimit the modulus remains perfectly balanced
• (Using a bitmask instead of modulus is a slower approach)
• EG. If you want a range 0-16 (that's 17 different values), then 17 can fit into a byte 15 times. There is 1 value that must be discarded [255], otherwise the modulus will be fine.

Code for Approach 1

    const string lookupCharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";

    static void TestRandomString()
    {
        Console.WriteLine("A random string of 100 characters:");

        int[] randomCharacterIndexes = new int[100];
        SecureRangeOriginal(randomCharacterIndexes, lookupCharacters.Length);
        var sb = new StringBuilder();
        for (int i = 0; i < randomCharacterIndexes.Length; i++)
        {
            sb.Append(lookupCharacters[randomCharacterIndexes[i]]);
        }
        Console.WriteLine(sb.ToString());

        Console.WriteLine();
    }

    static void SecureRangeOriginal(int[] result, int maxInt)
    {
        if (maxInt > 256)
        {
            //If you copy this code, you can remove this line and replace it with `throw new Exception("outside supported range");`
            SecureRandomIntegerRange(result, 0, result.Length, 0, maxInt);  //See git repo for implementation.
            return;
        }

        var maxMultiples = 256 / maxInt; //Finding the byte number boundary above the provided lookup length - the number of bytes
        var exclusiveLimit = (maxInt * maxMultiples); //Expressing that boundary (number of bytes) as an integer

        var length = result.Length;
        var resultIndex = 0;

        using (var provider = new RNGCryptoServiceProvider())
        {
            var buffer = new byte[length];

            while (true)
            {
                var remaining = length - resultIndex;
                if (remaining == 0)
                    break;

                provider.GetBytes(buffer, 0, remaining);

                for (int i = 0; i < remaining; i++)
                {
                    if (buffer[i] >= exclusiveLimit)
                        continue;

                    var index = buffer[i] % maxInt;
                    result[resultIndex++] = index;
                }
            }
        }
    }

Approach 2

• Technically ranges from 0 to ulong.Max can be supported
• Treat RNGCryptoServiceProvider bytes as a bitstream
• Calculate the base2 bit length needed per number
• Take the next number from the random bitstream
• If that number is still greater than the desired range, discard

Results:

• See the repository for the latest results from the test harness
• Both approaches appear to have a suitably balanced distribution of numbers
• Approach 1 is faster [859ms] but it only works on individual bytes.
• Approach 2 is a little slower [3038ms] than Approach 1, but it works across byte boundaries. It discards fewer bits, which can be useful if the random stream input becomes a bottleneck (different algorithm for example).
• A hybrid of both approaches gives the best of both worlds: better speed when the byte range is 0-255, support for ranges beyond 255 but a bit slower.

I personally like to use this:

private static string GenerateRandomSecret()
{
    var validChars = Enumerable.Range('A', 26)
        .Concat(Enumerable.Range('a', 26))
        .Concat(Enumerable.Range('0', 10))
        .Select(i => (char)i)
        .ToArray();

    var randomByte = new byte[64 + 1]; // Max Length + Length

    using (var rnd = new RNGCryptoServiceProvider())
    {
        rnd.GetBytes(randomByte);

        var secretLength = 32 + (int)(32 * (randomByte[0] / (double)byte.MaxValue));

        return new string(
            randomByte
                .Skip(1)
                .Take(secretLength)
                .Select(b => (int) ((validChars.Length - 1) * (b / (double) byte.MaxValue)))
                .Select(i => validChars[i])
                .ToArray()
        );
    }
}

There shouldn't be any part that needs additional description, but to clarify, this function returns a random string with a random length between 32 and 64 chars and doesn't use % (mod) therefore should keep uniformity a little better.

I use this to create a random salt at program installation and later save it to a file. Therefore security of generated string is not of special concern while the program is running as it is going to get written to an unencrypted file later on anyway.

However, for more serious situations, this shouldn't be used as it is and should be converted to use SecureString class if you are going to keep this value in memory. Read more here:

https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?redirectedfrom=MSDN&view=netframework-4.7.2

However, even this only applies to NetFramework, for NetCore you need to find another way to secure the value in the memory. Read more here:

https://github.com/dotnet/platform-compat/blob/master/docs/DE0001.md

My implementation that fixes the issue with 5,9541963103868752088061235991756 bits

public static string RandomString(int length)
{
    const string alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
    var res = new StringBuilder(length);
    using (var rng = new RNGCryptoServiceProvider())
    {
        int count = (int)Math.Ceiling(Math.Log(alphabet.Length, 2) / 8.0);
        Debug.Assert(count <= sizeof(uint));
        int offset = BitConverter.IsLittleEndian ? 0 : sizeof(uint) - count;
        int max = (int)(Math.Pow(2, count*8) / alphabet.Length) * alphabet.Length;
        byte[] uintBuffer = new byte[sizeof(uint)];

        while (res.Length < length)
        {
            rng.GetBytes(uintBuffer, offset, count);
            uint num = BitConverter.ToUInt32(uintBuffer, 0);
            if (num < max)
            {
                res.Append(alphabet[(int) (num % alphabet.Length)]);
            }
        }
    }

    return res.ToString();
}

 private string sifreuretimi(int sayı) //3
    {
        Random rastgele = new Random();  
        StringBuilder sb = new StringBuilder();
        char karakter1 = ' ', karakter2 = ' ', karakter3 = ' ';
        int ascii1, ascii2, ascii3 = 0;

        for (int i = 0; i < sayı/3; i++)
        {
            ascii1 = rastgele.Next(48,58);
            karakter1 = Convert.ToChar(ascii1);

            ascii2 = rastgele.Next(65, 91);
            karakter2 = Convert.ToChar(ascii2);

            ascii3 = rastgele.Next(97, 123);
            karakter3 = Convert.ToChar(ascii3);

            sb.Append(karakter1);
            sb.Append(karakter2);
            sb.Append(karakter3);
        }
        return sb.ToString();
    }

Since RNGRandomNumberGenerator only returns byte arrays, you have to do it like this:

static string RandomString(int length)
{
    const string valid = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
    StringBuilder res = new StringBuilder();
    using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
    {
        byte[] uintBuffer = new byte[sizeof(uint)];

        while (length-- > 0)
        {
            rng.GetBytes(uintBuffer);
            uint num = BitConverter.ToUInt32(uintBuffer, 0);
            res.Append(valid[(int)(num % (uint)valid.Length)]);
        }
    }

    return res.ToString();
}

Note however that this has a flaw, 62 valid characters is equal to 5,9541963103868752088061235991756 bits (log(62) / log(2)), so it won't divide evenly on a 32 bit number (uint).

What consequences does this have? As a result, the random output won't be uniform. Characters which are lower in valid will occur more likely (just by a small fraction, but still it happens).

To be more precise, the first 4 characters of the valid array are 0,00000144354999199840239435286 % more likely to occur.

To avoid this, you should use array lengths which divide evenly like 64 (Consider using Convert.ToBase64String on the output instead, since you can cleanly match 64 bits to 6 bytes.