Hotel key cards create far more fear and frustration than they ever should. I’m always tripped up by:
- asking a front desk for late checkout and even reminding them to code the key cards for it – and still they forget and the card expires at noon, and
- asking for an additional key when my wife checks in ahead of me, and I go to the desk so that I can head straight up in an elevator that requires the key card (so that my wife doesn’t have to come down to get me) – I remind the desk agent not to override access for the original keys, yet invariably they do it anyway.
I wrote about a hotel where key cards opened every single room in the hotel. The property didn’t configure their card machine correctly. Always bolt your door!
A reader, with experience as a hotel owner, shared with me that he has a habit of tossing “used” key cards into his bag instead of the trash. I often wind up with them in my pocket rather than leaving them behind. Well, this reader hung onto the keys and decided to experiment.
He first discovered that his keys stayed working, he says, at the Denver Tech Center Marriott back in 2018. He showed up to check in, found the lobby jammed with multiple motorcoaches and a long line, and remembered he still had the previous week’s key in his bag. Instead of waiting at the desk he walked to the lobby-level M Club. The old card opened the lounge.
And it kept working to open the club lounge “for at least another three months.” Every subsequent key from future stays worked on the lounge, too, long after the corresponding room nights ended he says. He started testing this at his other regular hotels. His notes:
-
Washington Dulles Marriott (on-airfield) – Old card: lounge access only, still functional after at least a month.
-
Hyatt Regency Orlando International Airport (on-terminal) – Old card: full property access (elevators, pool, gym) for at least three months.
-
Westin Denver Airport (on-terminal) – Old card: stairwell re-entry, including to guest-room levels.
-
Sheraton Suites near O’Hare – Old card: lounge-only access for at least three weeks.
-
Comfort Inn SLC Airport (Johnny Doolittle Road) – Old card: exterior doors and pool; based on how the system behaved, he’s confident it would still open the guest room until the next occupancy.
-
Salt Lake City Marriott City Center – Old card: lounge-only for at least a month.
He’s not creeping into rooms. He notes he didn’t try that in our “heavily armed, trigger happy society.” He is, however, demonstrating something that should make hotel security people wince.
How Hotel Keys Are Supposed To Behave
If you ask the lock manufacturers or read the manuals, they’ll tell you a reassuring story:
-
At check-in, the front desk encoder writes your room, access zones (like lounge or garage), and a valid-from / valid-to window onto the card.
-
Guest cards are valid only for a specified number of days.
-
When the next guest’s key is first used in the lock, the older card is automatically overridden and can’t open that room anymore.
-
At or shortly after check-out, the card should be useless everywhere.
The reader programmed the encoder at his hotel so that every access level died at 12:21 p.m. departure day – same behavior on exterior doors, pool, and gym. That gave a buffer after check-out time, but still locked guests out after their stay ended.
Why Last Month’s Key Still Opens The Club
In the real world, three things happen.
- Shared doors are treated very differently from guest rooms. A typical guestroom lock can remember the last valid key number it saw. When a new guest inserts their card, the lock updates its internal record and silently drops older cards for that room. That’s how you avoid the “previous guest shows up with a copy” problem.
A lounge door, or an elevator controller, doesn’t work that way. It isn’t tied to a single guest. The logic is basically:
-
“Is this card part of the ‘club access’ or ‘guest elevator’ group?”
-
“Is the current time still inside the card’s allowed window?”
There’s no per-guest override. If the time window is generous, every card issued to you in that period will keep opening that door until the window ends. That’s exactly the pattern you see in the Marriott and Sheraton examples – room access dies but the club door still still lets you in.
-
- The time windows for those zones are often ridiculously long. When a lock system is installed, someone has to decide how long “lounge access,” “property perimeter access,” or “garage access” should be valid. The path of least resistance is to make those groups valid for weeks or months and never revisit the defaults. So your card can easily look like this:
-
Room 1012 – valid June 3–6
-
Club lounge – valid June 1–August 31
-
Exterior doors – valid June 1–September 30
-
- Older or cheaper systems for limited-service hotels can be even sloppier.
On some budget platforms the model is, each card is “valid for N days on these doors,” and that’s largely it. The lock will stop accepting the card when the date rolls past, or when a newer key for that room is inserted.
If the front desk habitually sets “valid for 7 days” on every card, and the room sits empty for a while between occupants, an old card might still open it. That’s what my reader thinks he’s seeing at the Salt Lake City airport Comfort Inn.
Turning Your Hand Into A Hotel Key Card
If you think a stack of old plastic cards is unnerving, FlyerTalk has a thread that takes this to its logical conclusion.
A poster there describes having two RFID implants – one in each hand. One is a general-purpose NFC chip he uses to unlock his front door, open his garage, and trigger home-automation scenes. The other is more exotic: a chip built around the same technology that powers a huge chunk of hotel RFID keys, but with a rewritable ID.
When he checks into a hotel that uses compatible RFID keys, he:
-
Takes the issued key card to his room.
-
Uses an NFC reader/writer and software to copy the relevant data from the card onto the implant.
-
Waves his hand at the reader instead of the card.
To the lock, his hand is the card.
In the FlyerTalk story, a hotel employee spots him waving his hand at a side entrance. Management comes to the room a short time later, worried he’s somehow “hacked all the doors.” He spends a while explaining that:
-
He’s just cloned his own key, not a master.
-
To copy a master, he’d have to get that card very close to his implant reader.
-
Having the ability to do something isn’t the same as doing it.
The staff eventually stand down, but still think he’s nuts. Which, to be fair, is a normal reaction when your access control model is “magic plastic rectangles” and suddenly someone’s turning their hand into one.
Modern Systems Are Better, But Rollouts Are Slow
To be fair to the lock vendors, the state of the art has moved on. Newer hotel deployments use:
-
More secure card types (e.g. MIFARE Ultralight AES, DESFire) with proper AES-128 mutual authentication and per-card diversified keys, explicitly marketed as “anti-cloning.”
-
Better key management where each credential’s permissions and validity are tightly controlled, sometimes with more online communication to the lock.
-
Mobile keys that tie access to a specific device and app session instead of a generic piece of plastic.
Taken together, these changes make “my three-month-old club card still works” less likely. But hotels replace lock systems on decade-long cycles. A lot of properties are still running older platforms. And even with good technology, it’s still possible to misconfigure access groups and time windows.
Hotels Are Less Secure Than They Seem
The real takeaway isn’t just “free lounge access if you hoard key cards.” It’s the reminder that:
-
Physical security is only as good as how it’s configured.
-
A weak link is unreturned keys, generous validity windows on shared doors, and masters left on housekeeping carts.
Always use the physical dead bolt and door latch on your room.
Cool intel thanks