Qualys SSLLabs is a free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. More information can be found here.
StartTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.
Password Entry & Storage
A strong, secure password depends on several factors; complexity, length and uniqueness. A password should consist of a minimum of 12 characters (subject to change) to ensure it's sufficiently hard to break. Assuming it's unique and chosen at random, the greater the length, the stronger the password.
If a password is stored in a safe & secure manner, such that it's only known to you, there are no technical constraints regarding which characters can be used. That said, a restriction doesn't necessarily mean they're stored insecurely either. Often, sites restrict which characters do so in a misguided attempt to mitigate risks to their own systems. Although not definitive, it's often a good indicator that the method of storage is not particularly safe.
A password is, by definition, a shared secret. There are several methods of storage, each with their own benefits & drawbacks.
Plain Text:Storing passwords in plain text should be avoided at all costs. If you must use a service which adopts this method, ensure your password is absolutely unique and bears no resemblance to any password you've chosen before.
Encrypted:Under very limited circumstances, some sites may require knowledge of your chosen password (unified email inboxes, dialup authentication, APIs etc). When combined with solid key management, encryption allows your credentials to be protected whilst "at rest", but still allow the service to function as expected. The terms "encrypted" & "hashed" are often used interchangeably, but they are fundamentally different. As a service provider, there's only a need to encrypt/encipher a password if there's a need to decipher it later.
Hashed:In the vast majority of cases, passwords should be hashed using an appropriate algorithm. As opposed to "encryption", hashing literally digests your password, such that it's almost impossible to obtain the original secret.
Authentication & Session Management
HTTP offers absolutely no guarantee of privacy, integrity, authenticity or security... meaning data can be easily intercepted and read by an attacker. HTTPS/SSL/TLS offers greater protection by ensuring the initial login screen is authentic and any data sent is encrypted such that only authorised parties can read the contents.
No. The security & integrity of future pages is dependent entirely on that of the previous. If the initial login page is served over HTTP, your credentials can be compromised.
A site operating in "mixed mode" is willing to share your cookie/session information over an insecure protocol (HTTP). If an attacker is able to obtain your session information, they may not require your username/password in order to access your account.
If a cookie is marked as "HTTP Only", it is typically unavailable to & protected from scripts (malicious or otherwise) running on the page and, with only a few exceptions, is used purely by your browser during each request. If a script contained within the site requires access to your cookies, it's reasonable for a site to operate without this option.
If a cookie is marked as "Secure", it will only be sent back/forth using an encrypted protocol (HTTPS).
The header allows or disallows rendering of the document when inside an IFRAME. It is usually implemented to mitigate a "clickjacking" attack.
HSTS or HTTP Strict Transport Security is a web security policy mechanism which helps to protect secure HTTPS websites against downgrade attacks and cookie hijacking. Once deployed, a site will never try to communicate over an insecure protocol (HTTP) until the TTL (time to live) value expires. This value is set by the site, although many browsers set sanity limits of around 2 months to ensure a site remains accessible in the event of a fault.
HPKP or HTTP Public Key Pinning is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates.
CSP or Content Security Policy is a security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks.
XSS or Cross-Site Scripting is a header served by a site to enable a browsers built-in XSS protection, which may have been disabled by the user or system administrator.
Content Type Options prevents supported browsers from sniffing the type of data it's about to receive, forcing it to be interpreted as the type specified by the site.
Any vulnerability which potentially provides instant or near-instant access to critical system/user information with little/no real effort. Typical examples are SQL injection, Arbitrary Code Execution, Database / Server credential leaks, open & un-authenticated ports etc.
Any vulnerability which potentially provides access to system/user information with minimal effort required on behalf of the attacker. Typical examples are Stored / Reflected XSS, CSRF, broken authentication / session management etc.