I’ve been studying the security in docs
What i do not understand is in what way is my installation unsafe?
I use a DNS service, port forwarding of 8123 to my RPi.
On first access from LAN i need credentials to login to my HA UI.
Is the’re a risk that my system can be accessed on a lower level if i don’t use f.i TOR?
If your DNS service does not utilise https certificates then the connection is unencrypted and the information (including your password) sent over the link is easily intercepted.
If it’s encrypted then your biggest risk is a dictionary attack (automated password guessing). Using IP ban (and a strong password) practically eliminates this risk. There are scanners (shodan) that can easily be set up to find HA server ports but if someone finds your HA they not only won’t be able to log in, you can also set up alerts to tell you they tried.
If you think this risk is still unacceptable, you can use a VPN or TOR (or the HA cloud service) to eliminate the need to open a port in your router.
To add to what Tom said… use 2FA as well. If you want really secure, use the new ZeroTier One addon for all remote access which does not require ANY port forwarding. Of course if you use Google Assistant manual integration you still need Duckdns and ssl and port forwarding.