How many smaller hotels, shop and other wifi APs bothered to change the default admin password? A lot did not. So, you may need a user password initially (as a customer), but then the setup page is usually at http://router/
where the router model and version are commonly displayed. A quick search on the Internet and you may try the default root/admin password which is quite likely to work. Then you may inject your own DNS servers, and voilà.
Not mentioning how you can also (even more) easily impersonate any of the no-password SSID that people know well (the phone/mac/pc will choose the highest Db one when both are available), and again redefine some DNS entries, add some filtering etc...
So this hotels security hole is maybe important - but the whole wifi/routers security concept is pretty much flawed in the first place (due to people negligence and incompetence, to routers manufacturers who want to provide an "easy setup" router, to other many entities keen on providing a free wifi access with no security at all etc...).