A Hotel Owner Tested Old Key Cards At Marriott, Hyatt, And Westin — Why They Still Opened Lounge, Gym And Elevators Months Later

by Gary Leff

Hotel key cards create far more fear and frustration than they ever should. I’m always tripped up by:

  1. asking a front desk for late checkout and even reminding them to code the key cards for it – and still they forget and the card expires at noon, and

  2. asking for an additional key when my wife checks in ahead of me, and I go to the desk so that I can head straight up in an elevator that requires the key card (so that my wife doesn’t have to come down to get me) – I remind the desk agent not to override access for the original keys, yet invariably they do it anyway.

I wrote about a hotel where key cards opened every single room in the hotel. The property didn’t configure their card machine correctly. Always bolt your door!

A reader, with experience as a hotel owner, shared with me that he has a habit of tossing “used” key cards into his bag instead of the trash. I often wind up with them in my pocket rather than leaving them behind. Well, this reader hung onto the keys and decided to experiment.

He first discovered that his keys stayed working, he says, at the Denver Tech Center Marriott back in 2018. He showed up to check in, found the lobby jammed with multiple motorcoaches and a long line, and remembered he still had the previous week’s key in his bag. Instead of waiting at the desk he walked to the lobby-level M Club. The old card opened the lounge.

And it kept working to open the club lounge “for at least another three months.” Every subsequent key from future stays worked on the lounge, too, long after the corresponding room nights ended he says. He started testing this at his other regular hotels. His notes:

  • Washington Dulles Marriott (on-airfield) – Old card: lounge access only, still functional after at least a month.

  • Hyatt Regency Orlando International Airport (on-terminal) – Old card: full property access (elevators, pool, gym) for at least three months.

  • Westin Denver Airport (on-terminal) – Old card: stairwell re-entry, including to guest-room levels.

  • Sheraton Suites near O’Hare – Old card: lounge-only access for at least three weeks.

  • Comfort Inn SLC Airport (Johnny Doolittle Road) – Old card: exterior doors and pool; based on how the system behaved, he’s confident it would still open the guest room until the next occupancy.

  • Salt Lake City Marriott City Center – Old card: lounge-only for at least a month.

He’s not creeping into rooms. He notes he didn’t try that in our “heavily armed, trigger happy society.” He is, however, demonstrating something that should make hotel security people wince.

How Hotel Keys Are Supposed To Behave

If you ask the lock manufacturers or read the manuals, they’ll tell you a reassuring story:

  • At check-in, the front desk encoder writes your room, access zones (like lounge or garage), and a valid-from / valid-to window onto the card.

  • Guest cards are valid only for a specified number of days.

  • When the next guest’s key is first used in the lock, the older card is automatically overridden and can’t open that room anymore.

  • At or shortly after check-out, the card should be useless everywhere.

The reader programmed the encoder at his hotel so that every access level died at 12:21 p.m. departure day – same behavior on exterior doors, pool, and gym. That gave a buffer after check-out time, but still locked guests out after their stay ended.

Why Last Month’s Key Still Opens The Club

In the real world, three things happen.

  1. Shared doors are treated very differently from guest rooms. A typical guestroom lock can remember the last valid key number it saw. When a new guest inserts their card, the lock updates its internal record and silently drops older cards for that room. That’s how you avoid the “previous guest shows up with a copy” problem.

    A lounge door, or an elevator controller, doesn’t work that way. It isn’t tied to a single guest. The logic is basically:

    • “Is this card part of the ‘club access’ or ‘guest elevator’ group?”

    • “Is the current time still inside the card’s allowed window?”

    There’s no per-guest override. If the time window is generous, every card issued to you in that period will keep opening that door until the window ends. That’s exactly the pattern you see in the Marriott and Sheraton examples – room access dies but the club door still still lets you in.

  2. The time windows for those zones are often ridiculously long. When a lock system is installed, someone has to decide how long “lounge access,” “property perimeter access,” or “garage access” should be valid. The path of least resistance is to make those groups valid for weeks or months and never revisit the defaults. So your card can easily look like this:

    • Room 1012 – valid June 3–6

    • Club lounge – valid June 1–August 31

    • Exterior doors – valid June 1–September 30

  3. Older or cheaper systems for limited-service hotels can be even sloppier.

    On some budget platforms the model is, each card is “valid for N days on these doors,” and that’s largely it. The lock will stop accepting the card when the date rolls past, or when a newer key for that room is inserted.

    If the front desk habitually sets “valid for 7 days” on every card, and the room sits empty for a while between occupants, an old card might still open it. That’s what my reader thinks he’s seeing at the Salt Lake City airport Comfort Inn.

Turning Your Hand Into A Hotel Key Card

If you think a stack of old plastic cards is unnerving, FlyerTalk has a thread that takes this to its logical conclusion.

A poster there describes having two RFID implants – one in each hand. One is a general-purpose NFC chip he uses to unlock his front door, open his garage, and trigger home-automation scenes. The other is more exotic: a chip built around the same technology that powers a huge chunk of hotel RFID keys, but with a rewritable ID.

When he checks into a hotel that uses compatible RFID keys, he:

  1. Takes the issued key card to his room.

  2. Uses an NFC reader/writer and software to copy the relevant data from the card onto the implant.

  3. Waves his hand at the reader instead of the card.

To the lock, his hand is the card.

In the FlyerTalk story, a hotel employee spots him waving his hand at a side entrance. Management comes to the room a short time later, worried he’s somehow “hacked all the doors.” He spends a while explaining that:

  • He’s just cloned his own key, not a master.

  • To copy a master, he’d have to get that card very close to his implant reader.

  • Having the ability to do something isn’t the same as doing it.

The staff eventually stand down, but still think he’s nuts. Which, to be fair, is a normal reaction when your access control model is “magic plastic rectangles” and suddenly someone’s turning their hand into one.

Modern Systems Are Better, But Rollouts Are Slow

To be fair to the lock vendors, the state of the art has moved on. Newer hotel deployments use:

  • More secure card types (e.g. MIFARE Ultralight AES, DESFire) with proper AES-128 mutual authentication and per-card diversified keys, explicitly marketed as “anti-cloning.”

  • Better key management where each credential’s permissions and validity are tightly controlled, sometimes with more online communication to the lock.

  • Mobile keys that tie access to a specific device and app session instead of a generic piece of plastic.

Taken together, these changes make “my three-month-old club card still works” less likely. But hotels replace lock systems on decade-long cycles. A lot of properties are still running older platforms. And even with good technology, it’s still possible to misconfigure access groups and time windows.

Hotels Are Less Secure Than They Seem

The real takeaway isn’t just “free lounge access if you hoard key cards.” It’s the reminder that:

  • Physical security is only as good as how it’s configured.

  • A weak link is unreturned keys, generous validity windows on shared doors, and masters left on housekeeping carts.

Always use the physical dead bolt and door latch on your room.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  2. “Always bolt your door!” Mhm. Unless, you’re into that kinda thing… Don’t yuck others yum!

  3. It sounds like you need your own locking mechanism when you go out so someone cannot go in and go through your luggage.

  4. There are tools which bypass any interior locks. The hotel doesn’t want to pay to replace a door damaged in a forceable entry just because a guest died in the room. The chain or U-lock can be bypassed with a physical tool, and the deadbolt can be overridden by hotel management. The door should keep track of anyone using the latter.

  5. Wow, this is both fascinating and a little scary. I had no idea old hotel key cards could keep working for months on shared areas. Definitely makes you look at hotel security very differently!

  6. I stayed a nationally known hotel last year that features early check-in where one bypasses the front desk.

    This was a premium brand within the hotel chains several brands.

    I, however, was went to the front desk to check in the old fashioned way even though I have the second highest tier with this particular hotel.

    I was given a room key and discovered someone else was already in the room. I noticed this only after I opened the door and saw a half open suitcase on the luggage rack.

    I complained to the front desk and they gave me another room key but the door to this second room would not open using that key.

    I then went back to the front desk, insisted the manager accompany me to the next room I was given, and when we opened that door the bed was not made but the person had checked out.

    Always bolt your door from the inside when you are in it.

    It appears easy enough for hotels to lose track of who’s in the room with early check-in bypassing the front desk and this can have significant downside.

  8. This is a terrific write-up and I’m so happy to see a cool mention of that one person who posted about their DangerousThings biohacker implants on FlyerTalk. As a person with chips in each of my hands, as well, it is neat to see people talk about their experiments there.

    I feel like I should go ahead and mention https://redteamtools.com/strap since there was the advice to always further secure your door beyond what they electronic lock purports to be doing. Tons of products on the market are advertised to hotel guests, but most of them are pretty worthless (or are, at best, a “please respect my privacy” device, not a security device) and that’s why I love the door strap.

    Full Disclosure: while I’m not the inventor of that strap (that honor goes to Melinda and Ron Moore, a retired couple from Oregon) when the original company went away (because Ron and Melinda passed away) I resurrected the design so I feel I should be up front about the fact that I make these now. Trust me, we’re not turning windfall profits around on them, though. I just thought they were such a good creation that I couldn’t allow the idea to die.

    Cheers and thanks for sharing this great write-up!

  10. @Deviant Ollam, that looks like an easy to use and inexpensive strap to keep a hotel door from unlocking. I would suppose that the strap with Velcro would also have other applications while on the road. Maybe highlighting some of them could drive sales for a multi use item.

Comments are closed.