Doing a partial string match on a password would effectively require it in reversible form. Even if you hashed all the possible substrings of the password, it would be trivial to brute force given all the hashes of the same string with one extra character on the end...
But OP was mistaken - the tool Google uses only alerts if the entire password is typed. Meaning that OP's friend was careless with password hygiene. As is nearly every new Google employee.
Doing a partial string match on a password would effectively require it in reversible form. Even if you hashed all the possible substrings of the password, it would be trivial to brute force given all the hashes of the same string with one extra character on the end...
But OP was mistaken - the tool Google uses only alerts if the entire password is typed. Meaning that OP's friend was careless with password hygiene. As is nearly every new Google employee.