Google Chrome - How does it work?

What does the Chrome extension do, and how does it work?

Why should I use it?

CultureAI’s browser extension enables clients to map and understand risky Software as a Service (SaaS) usage across your workforce. The extension provides a more comprehensive list of SaaS apps in use by employees compared to traditional Cloud Access Security Broker (CASB) solutions, and enriches this data with risk indicators, such as instances where apps are being used with weak passwords, lack Multi-Factor Authentication (MFA), or have shared accounts.

This integration also adds additional telemetry from other data sources you likely have enabled and configured for password hygiene monitoring - e.g. from phishing sim interaction.  

What does it do?

Our Chrome extension allows you to track and monitor your employee security behaviour while using the Chrome web browser. If you'd like to install it, please click here to view our guide.

Our browser extension looks for corporate email login attempts using emails and passwords to understand what software applications your people are using and how secure their passwords are.

When deployed the extension is looking to track login sessions into form-based or single-sign-on logins.  The browser extension uses this information to understand if employees are accessing approved or unapproved websites, whilst also checking password complexity and the reusing of passwords.

How does it work?

The CultureAI extension reads the browser profile of the employee and finds the identity of the individual using their email address. 

Once the email address and identity is attained, the extension initiates a secure connection with the CultureAI service. Once the connection is established, the CultureAI extension is then able to read login session attempts from form-based or SSO-based logins such as “Log in with Google Account” type logins. The extension then tracks the login attempt and sends the data back to the CultureAI platform as a login attempt. 

Secondly to this functionality, the extension is also able to determine password complexity. It does this by taking the password that was used to login to the SaaS tool from the browser's memory and runs a complexity check against the password. Once complexity is determined, CultureAI’s extension hashes the password with SHA-256, cuts the hash in half and discards one of the halves. 

The data that is then sent to CultureAI's secure production database to be stored as follows: 

  • The login detection
  • The session ID
  • The email address of the individual (To identify them)
  • Complexity score of the password 
  • The remaining password hash after halving it
    The half a hash is then further halved and hashed two more times to further harden the security of this process. 

What makes a weak password?

We look at mixture of factors to determine a weak password. Passwords with the following included will trigger a weak password.

  • If it's in our list of common passwords (Such as password123, 123456, Qwerty)
  • 12 or less characters in length 
  • Includes only one of: Uppercase letter, Lowercase letter, Digit or Special character

Common questions your employees might have

  • Can CultureAI see me logging into my personal accounts? (Facebook, Amazon, Youtube etc)
    No. CultureAI will only track logins using corporate emails. For example, if someone logs into Twitter using, we won't track that.
  • Does CultureAI know/store my password?
    No. We receive the password from Chrome, a complexity score is run, once this is complete we hash the password and halve it. (Hashing is similar to encryption, however, encrypted data is able to be decrypted at a later point. Hashed data is not able to be unhashed.)
    We only store the complexity score, and the halved hash of the password. CultureAI isn't able to go back and view users full passwords.
  • Why shouldn't I use my work email for personal accounts?
    The more places an email is registered, the higher the chance it could be hacked. Work emails should only be used for necessary work related platforms, to reduce the number of places it sits.  For example, if your work email is used on three platforms (Gmail, your work portal and Slack) you then use your work email to order something on eBay, create a Spotify account and set up a LinkedIn profile, you've just doubled the likelihood of your work email being involved in data breach.  It is not best practice to use work credentials for non-work related applications.  It is not best practice to re-use passwords across multiple applications; especially when low in complexity.