This web site uses cookies. By using the site you accept the cookie policy.This message is for compliance with the UK ICO law.

.NET 1.1+

Generating Random Pronounceable Passwords

The use of passwords as a security measure is increasingly common for technical and non-technical users alike. Generating passwords that are both strong and memorable can be difficult. This article describes one method to alleviate this problem.


In recent years the number of passwords, passcodes and personal identification numbers (PIN) used by the average person has increased greatly, primarily due to the increased reliance on web-based and computerised services. It is common for an individual to have tens of passwords and for a technical user to have hundreds. The large number of passwords that a single person must remember leads to insecure practices, such as using the same password for multiple services or creating very simple, weak passwords. These may be common names or words that are vulnerable to dictionary attacks.

A more secure way in which to create passwords is to use a long, randomised series of letters, numbers and other characters. However, though it is possible to remember a few such passwords, the average user cannot apply a unique randomised character series to all of their credentials and remember them all. This leads to further insecure practices, such as creating a paper-based list of user names and passwords that could be stolen.

This growing problem can be alleviated to some degree, though not eliminated entirely, with the use of passwords that do not contain real words but that are possible to pronounce. Being able to say the password improves a person's ability to recall it. In this article we'll create a C# class that produces such passwords.

NB: This system produces passwords that are less strong that purely randomised sequences. It should not be used where security is critical, such as for systems that handle financial transactions or personal medical information. It would be more appropriate in these situations to use hardware devices, such as dongles, or biometric security. At the very least, strong passwords should be enforced

The PasswordGenerator Class

The PasswordGenerator class generates randomised passwords using the standard random number functionality provided by the .NET framework. Rather than choosing entirely random characters, it selects from lists of letters and letter pairs in combinations that should be pronounceable. Two sets of password elements are used. The first contains the five vowels and some pairs of vowels that are commonly seen in English words. The second contains consonants and consonant pairs that can appear at the start or end of English words and syllables. For the remainder of the article I will refer to these sets as simply vowels and consonants.

To begin, create a console application and add a new class named, "PasswordGenerator".

public class PasswordGenerator

We need three class-scoped variables. Two hold the vowels and consonants in string arrays. The third holds an instance of the Random class. The same Random object will be used for all calls to the same PasswordGenerator instance. We'll initialise all three values in the constructor, as follows:

string[] _vowels, _consonants;
Random _random = new Random();

public PasswordGenerator()
    _vowels = "A,AI,AU,E,EA,EE,I,IA,IO,O,OA,OI,OO,OU,U".Split(',');
    _consonants = 

Generate Method

The method that generates passwords has a single parameter to accept the number of elements that will appear in the final password. This is double the number of syllables that will be generated. It is also the minimum length of a password; the maximum length is twice the value specified in the argument.

Add the method's signature:

public string Generate(int elements)

To initialise the methods we create a new, empty StringBuilder to hold the password whilst it is assembled. To vary the passwords as much as possible, the method can generate sequences that start with either a vowel or a consonant. The selection is made by picking a random number of either zero or one. If it is zero, the vowel flag is set, indicating that the first element of the password will be taken from the _vowels array.

StringBuilder sb = new StringBuilder();
bool vowel = _random.Next(2) == 0;

Now that the method is initialised we use a for loop to count the number of elements being added. In each iteration an element is added to the StringBuilder using the AddElement method. If we are adding a vowel, we pass this method the _vowels array from which to select. If the vowel flag is not set, we pass the _consonants array instead. At the end of each iteration the vowel flag is toggled, ready for the next pass. Finally, on termination of the loop we convert the StringBuilder to a string and return it.

Add the following code to the Generate method:

for (int i = 0; i < elements; i++)
    AddElement(sb, vowel ? _vowels : _consonants);
    vowel = !vowel;

return sb.ToString();

To complete the class we need to define the AddElement method. This accepts the StringBuilder containing the password that is being constructed and an array of string elements. One element is randomly picked from the array and appended to the StringBuilder:

private void AddElement(StringBuilder sb, string[] elements)
18 March 2012