With a local password manager such as KeepassXC, I avoid storing my password database on an untrusted cloud computing platform, or server colo’d somewhere under potentially dubious security. I only have to worry about securing the endpoints that have a copy of the password database, and the software itself.

KeepassXC is vulnerable to leaking my unlocked database if my endpoints become compromised. If my browser or computer is compromised, how would your password manager protect against that? Does it offer any meaningful improvement to the issue of compromised end user devices?

This is a lot of cryptography, but how is it better than the hundred previous attempts, that simply hashed the input?

FYI: Bastion assumes a trusted local execution environment and a strong master secret. It does not defend against a compromised OS or browser runtime. The system trades convenience (sync, cloud recovery) for deterministic, stateless, and cryptographically verifiable password generation.