STR Ops
Turnover Dispatch Smart lock Linen par Restock Damage Maintenance Blog
Access 6 min read

Airbnb smart lock codes: rolling vs static, what works

Why static Airbnb door codes are a slow-motion security leak, how rolling per-booking codes work, and the deterministic generator that runs on any keypad lock.

By

Airbnb smart lock codes: rolling vs static, what works — illustration about airbnb smart lock code generator

Most hosts start with a static code. Same four digits, every guest, for years. It’s easy to remember, easy to share, and easy for everyone who has ever stayed at the property to walk in two years later and pick up a forgotten phone charger.

Rolling codes — a fresh code per booking — solve that. They’re not new, they’re not expensive, and they’re not optional once you have more than a few stays.

What a static code actually leaks

The argument for static is “it’s just a guest, they’re not coming back.” Run the math.

  • 50 bookings a year × 4 years = 200 prior guests with your code.
  • A reasonable share of those guests texted the code to a partner, a friend, a babysitter.
  • A reasonable share saved it in a notes app that syncs to the cloud and gets indexed if breached.

You don’t have a lock. You have a public-facing PIN with marketing on Airbnb pointing at it.

The day the static code leaks (someone’s old screenshot, an Airbnb dispute screenshot, a returning guest who lets themselves in for “just a minute”), you’re not just changing the code — you’re changing it on every device, every cleaner, every co-host, every mid-stay handoff. That’s an afternoon of phone-tag during turnover.

What rolling codes solve

A rolling code is a per-booking code with two properties:

  1. Unique. Different from any other booking’s code.
  2. Bounded in time. Active from check-in (or a few hours before) to checkout (or a few hours after). Outside that window, it doesn’t work.

When the booking ends, so does the code. There’s nothing to rotate. Your prior guest’s screenshot doesn’t open the door tomorrow.

Two ways to get rolling codes:

  • Hardware. August, Schlage Encode, Yale Assure, RemoteLock — most modern smart locks support per-booking codes via app or PMS integration.
  • Software, on top of any keypad lock. A code generator that produces deterministic per-booking codes you punch into the lock manually (or via your PMS).

If you’re already on a smart lock with PMS integration, use it. If you’re on a keypad lock without smart features, the deterministic generator is the bridge.

Why “deterministic”

A random code is fine if you have a place to store it. A deterministic code is fine if you don’t.

The smart lock code rotator takes three inputs:

  • A secret you keep (your master phrase, never published).
  • The booking’s check-in date.
  • The guest’s first name (or last 4 of phone).

It runs HMAC-SHA-256 over those, takes the first 4 digits, and outputs a code. Same inputs, same code — every time. Different inputs, different code — always.

What that buys you:

  • No spreadsheet of codes. You can regenerate any code from the booking record alone.
  • No reuse. Two guests on the same date with different names get different codes; same guest on different dates gets different codes.
  • No leak from a code list, because there is no list.

The secret stays in your head (or your password manager). Even if a guest tries every reasonable PIN, the keyspace is 10,000 — and most smart locks lock out after 5 failed attempts. Brute force is not the threat.

The threat that is real

Codes leak through three channels:

  1. Returning guests. Solved by per-booking expiry on the lock. If the lock can’t enforce time-bounded codes, you have to manually clear codes after checkout. Set a recurring task.
  2. Cleaners. Cleaners need access. Use a separate cleaner code that you rotate quarterly — not the guest code. The cleaner code never goes in a guest message.
  3. Co-hosts and handymen. Same rule. Their own code, rotated at a known cadence.

The smart lock code rotator covers (1). The other two are still your job.

What to actually do this week

If you’re on static codes today, the migration is roughly:

  • Day 0. Pick your master phrase. Write it once, in the place you’ll remember (password manager, not a sticky note).
  • Day 1. Generate codes for every active and upcoming booking. Send the per-booking code to the guest 24 hours before check-in (not at booking confirmation — too easy to lose).
  • Day 2. Add a cleaner-only code, separate from the master.
  • Day 7. Schedule a quarterly cleaner-code rotation. Put it on the maintenance schedule so it doesn’t drift.
  • Day 30. Audit who else has a code. The list is shorter than you think — make it shorter.

Static codes are the operations equivalent of sticking with the same password since 2018. They worked until they didn’t, and the day they stop working is not a day you wanted to be reactive.

Frequently asked questions

Why are static Airbnb door codes a security risk?

After 50 bookings a year × 4 years, your single 4-digit code has been seen by ~200 prior guests, saved in cloud-synced notes apps, screenshotted into messages, and forwarded to friends. The day a returning guest tries the code at 2 a.m., your only options are to rotate it everywhere immediately — across cleaners, co-hosts, mid-stay guests — under time pressure.

How do rolling codes work for vacation rentals?

A rolling code has two properties: it's unique to one booking, and it's bounded by check-in and checkout times. When the booking ends, the code stops working — there's nothing to rotate. Smart locks with PMS integration (August, Schlage Encode, Yale Assure, RemoteLock) handle this automatically. For non-smart keypad locks, a deterministic code generator gives you the same effect manually.

What is a deterministic smart lock code generator?

A function that takes three inputs — your master phrase (kept secret), the booking's check-in date, and the guest's first name (or last 4 of phone) — and runs HMAC-SHA-256 over them to produce a 4-digit code. Same inputs always produce the same code, so you can regenerate any prior code from the booking record alone. Different inputs always produce different codes.

Should cleaners have the same door code as guests?

No. Cleaners need a separate code that rotates on a known cadence (quarterly is reasonable). The cleaner code never goes in a guest message, and the guest code never goes to the cleaner. Same rule applies to co-hosts, handymen, and pest-control vendors — each role gets its own code.

How big is the keyspace for a 4-digit lock code?

10,000 codes. That sounds small, but most modern smart locks lock out for 5–30 minutes after 3–5 failed attempts, which makes brute-force impractical. The real risk is leakage — codes that escape via screenshots, shared notes apps, or returning guests — not exhaustive guessing. Rolling codes solve leakage; longer codes solve brute force.

Tools in this post

More tools across the STR cluster

STR Buyers

Pre-buy: DSCR, market score, comp analysis.

Visit

STR Host

Analyzing: profit, RevPAR, break-even.

Visit

STR Guests

Optimizing: house rules, welcome books, AI replies.

Visit

Built by The STR Ledger. Excel templates and PDFs for short-term rental finance.

Visit The STR Ledger