ASP question about "randomize". How is this possible?

[pureblueagave]

One of the websites I work on has a feature on it where visitors to the site can send an e-card to their friends. When a card is sent, a password is randomly generated so the person receiving the card can retrieve their card. This is a randomly generated 16-character alphanumeric string. See the following code.

charstr = "abcdefghijkmnopqrstuvwxyz" _
& "ABCDEFGHJKLMNPQRSTUVWXYZ" _
& "23456789"
randomize
password = INT((now/1)*100000)
for x = 1 to 16
r = int(rnd(1)*len(charstr))
password = password & mid(charstr,r+1,1)
next

Some of the characters are purposely left out so that there is no confusion between a one (1) and a lower case L (l), or a zero (0) and an upper case o (O). Anyway, since there are 57 characters in the string of possible characters, and the password string is 16 characters long, there should be 57^16 different possible combinations, or 1.24165E+28... more than enough that it should never repeat the same password twice. However, two times in a one week span, two people got the same password. I thought if I used the "randomize" command in the code, it would shake things up and randomly pick characters. How is it possible that two people got the same exact 16 character string?
This is an ASP page.

 

[raina_vissora]

Just because you're picking random characters doesn't mean it's impossible for two people to randomly get the same string. Especially since nothing in code is ever truly random (things are "randomly" picked based on an algorithm embedded in the programming language itself... it really just gives the appearance of being random).

But what you should really be doing here is storing the passwords in a database and checking the code being generated against the ones that already exist. If it finds a match, then it should regenerate the password until it finds one that hasn't been used.

 

[raina_vissora]

Just because you're picking random characters doesn't mean it's impossible for two people to randomly get the same string. Especially since nothing in code is ever truly random (things are "randomly" picked based on an algorithm embedded in the programming language itself... it really just gives the appearance of being random).

But what you should really be doing here is storing the passwords in a database and checking the code being generated against the ones that already exist. If it finds a match, then it should regenerate the password until it finds one that hasn't been used.