And yes, it does store a hash of the password on the local machine, although I suspect it's only a 32 bit hash or something so you can't 'crack' it to recover the original password.
Doing a partial string match on a password would effectively require it in reversible form. Even if you hashed all the possible substrings of the password, it would be trivial to brute force given all the hashes of the same string with one extra character on the end...
But OP was mistaken - the tool Google uses only alerts if the entire password is typed. Meaning that OP's friend was careless with password hygiene. As is nearly every new Google employee.
https://chrome.google.com/webstore/detail/password-alert/noo...
And yes, it does store a hash of the password on the local machine, although I suspect it's only a 32 bit hash or something so you can't 'crack' it to recover the original password.