Your Google account is your digital life

Imagine waking up tomorrow
and it's all gone.

Your email. Your Drive. Your Workspace. Your Ads. Your YouTube. All behind one password. PassPhantom is a free Chrome extension that rotates your Google password with one click and stores it in Bitwarden. Every stolen session dies instantly.

Install free from Chrome Web Store See how it works ↓
How it works

One click. Ten seconds. Total protection.

1

Install and configure once

Install PassPhantom from the Chrome Web Store. Connect it to your Bitwarden vault. Set your Google account. Five minutes of setup, once. You're done.

2

Click "Rotate Password"

PassPhantom generates a new password using a cryptographically secure random generator, changes it on your Google account, and stores it in Bitwarden — all in about 10 seconds. Google invalidates every active SID/HSID cookie server-side. Every stolen token becomes worthless.

3

Next morning, Bitwarden logs you in

You open Chrome, go to Gmail. Bitwarden fills the new password. You don't know what the password is. You don't need to. It changed last night and it will change again tonight.

PassPhantom
PassPhantom
Rotation complete
Password generated (20 chars)
Google password changed
All sessions invalidated
Bitwarden vault updated
Your account is protected.

PassPhantom works with Bitwarden — a free, open-source password manager. If you don't have one yet, this is a great reason to start. Bitwarden handles all your passwords, not just Google.

Install free from Chrome Web Store
Your digital life

Think about what's behind that one password.

Gmail

Every conversation. Every password reset link. Every confidential attachment. Your email is the master key to every other account you own.

Google Drive

Contracts, tax returns, business plans, personal photos. Years of documents that you'd never share with a stranger — now accessible to anyone with your cookie.

Google Ads

Campaign budgets, billing data, conversion analytics. Attackers drain budgets or redirect campaigns. Average loss per incident: 10,000–100,000 EUR.

YouTube

Channel hijacking is a multi-million dollar criminal industry. Attackers stream crypto scams, delete content, or ransom the account. Recovery takes weeks — if Google responds at all.

Not every account needs this level of protection. Your random forum login doesn't. But Google? Google is your digital life. If someone steals your session cookie, they have access to ALL of it.

The gap

Microsoft lets admins revoke all sessions with one API call.
Google doesn't.

Microsoft 365 provides revokeSignInSessions — a documented, supported API that invalidates every active token for a user. Admins can automate it, schedule it, trigger it on demand.

Google Workspace charges up to 25 EUR/user/month. There is no equivalent API. No programmatic session revocation. No automated defense against stolen cookies. The only mechanism that forces server-side invalidation of SID/HSID cookies is a password change.

PassPhantom automates that password change. It is the only tool that does this because Google has not built the alternative.

Why this matters
1.8B credentials stolen per year by infostealers SpyCloud 2025
66% of infostealers evade endpoint detection (EDR) Red Canary 2025
~2030 estimated full deployment of Google DBSC Chrome origin trial since 2024

Passkeys protect the login. Infostealers steal the already-authenticated session. MFA does not help once the cookie exists. The only countermeasure is invalidating the cookie server-side — which requires a password change.

The blind spot

Passkeys protect the door.
PassPhantom burns the guest passes.

The industry is selling passkeys as the solution to credential theft. They are not. Passkeys protect the authentication step — the moment you log in. Infostealers do not attack the login. They steal the session cookie that already exists after authentication.

It does not matter if you authenticated with a passkey, a password, or biometrics. Once the cookie exists in Chrome's SQLite database, a Lumma or RedLine stealer can exfiltrate it in under 30 seconds. The attacker replays the cookie from another machine and they are you.

The only way to kill that cookie is to change the password. That is what PassPhantom does — every single day.

Comparison

Most solutions try to prevent the steal.
PassPhantom makes the stolen data worthless.

PassPhantom EDR / XDR Google DBSC Passkeys
Stops cookie replay attacks Yes Sometimes Yes No
Works after malware has run Yes No Partial No
Invalidates stolen credentials Yes No No No
Available today Yes Yes ~2030 Yes
No endpoint agent required Yes No Yes Yes
Works on personal devices Yes No Partial Yes
Protect your Google account — free
Enterprise

For organizations: monitor who rotates and when.

The same free extension your team already uses, plus a dashboard that gives you visibility into your organization's password hygiene.

Admin dashboard

See which users rotated today, who hasn't rotated in 48+ hours, and the full rotation history (last 20 per user). Receive alerts when someone falls behind. One panel for your entire organization.

Deployment

Install the Chrome extension via Chrome Web Store or deploy it managed through your browser policy. No additional software needed. Each user clicks "Rotate" when they want to secure their session.

Enterprise Auto: automatic rotation

For organizations that need zero-touch protection. Enterprise Auto rotates passwords automatically on every shutdown and restart via a native .exe installer. Includes Secure Shutdown & Restart shortcuts and GPO enforcement to disable normal shutdown. Full control, no user action required.

Pricing

Three plans. One mission.

Free for everyone, forever. No limits, no restrictions. Protect every Google account in your life — or your organization.

Free
Free
for everyone — personal & business
  • ✓ Unlimited rotations
  • ✓ One-click rotation
  • ✓ Bitwarden integration
  • ✓ All Google services protected
  • ✓ No account required
Install free
Dashboard
2€ /user/month
team visibility & alerts
  • ✓ Everything in Free
  • ✓ Admin dashboard
  • ✓ Last rotation per user
  • ✓ 48h inactivity alerts
  • ✓ Rotation history (last 20)
  • ✓ Email support
Contact us
Dashboard + Auto
3€ /user/month
full automation
  • ✓ Everything in Enterprise
  • ✓ Auto-rotation on shutdown
  • ✓ GPO enforcement
  • ✓ .exe installer for deployment
  • ✓ Email support
Contact us

The extension is always free. Enterprise adds a dashboard for visibility into who rotates and when. Enterprise Auto adds automatic rotation on shutdown/restart via a native installer, with GPO enforcement for organizations that need full control.

Architecture

Everything runs locally. No cloud. No servers.

PassPhantom is a Chrome extension. There is no cloud. No server stores your passwords. No central database to breach. Passwords go to YOUR Bitwarden vault. We never see them.

Decentralized by design

Passwords are generated, changed, and stored entirely in your browser. Bitwarden encrypts them with AES-256. Your master password never leaves your device. We have zero access to your credentials.

Immune to coercion

If a government or attacker demands our "backdoor" — there is none. We don't have a single byte of your passwords. The decentralized architecture makes coercion pointless. This is not a policy. It is a technical constraint.

Separation of powers

PassPhantom rotates. Bitwarden stores. Google authenticates. No single entity controls everything. No single point of compromise.

Component Responsibility
PassPhantom (Chrome extension)Password rotation, session invalidation
BitwardenAES-256 encrypted storage, cross-device sync
GoogleAuthentication, password validation, server-side session management
Transparency

What happens if Google changes?

PassPhantom automates Google's password change page via a Chrome extension. If Google modifies this page, our extension needs to be updated.

Our commitment: we will release a fix within 24–48 hours of any Google interface change that affects PassPhantom.

In the unlikely event that Google makes automated password changes permanently impossible, we will notify all users immediately and cancel all enterprise subscriptions with no further charges.

PassPhantom is not affiliated with Google or Bitwarden. Google Workspace™ is a trademark of Google LLC. Bitwarden® is a trademark of Bitwarden Inc. PassPhantom is an independent security tool.

Trust
20,000+

users protecting their Google accounts

Llevamos 3 meses con PassPhantom en la oficina. 14 personas, todas con Google Workspace. Lo instalas, lo configuras en 5 minutos, y te olvidas. La tranquilidad de saber que si alguien pilla un infostealer, la cookie no vale nada al día siguiente... eso no tiene precio. Y es gratis.

Carlos M. IT Admin, consultora fiscal

I manage 3 GCP projects and my Gmail is the recovery email for everything. After reading about the Lumma stealer campaigns, I installed PassPhantom. Rotating my password takes 10 seconds. I don't even know what my Google password is anymore — Bitwarden handles it. That's exactly how it should be.

Thomas K. Freelance developer

We manage €200K/month in Google Ads for our clients. One stolen cookie and someone could drain an entire campaign budget. PassPhantom rotates passwords daily, Bitwarden fills them automatically. Setup took 5 minutes per person. We should have done this a year ago.

Laura S. Head of Performance, digital agency

PassPhantom is built by a small team of security researchers based in Spain. We built this because Google doesn't offer session revocation, and we got tired of waiting. The extension is open-source ready and the code is auditable.

info@passphantom.com