Even if a web wallet has a second password, they are not secure at all! Never store your coins in a web wallet. There is a high chance you will lsoe everything. As for trezor/ledger, they aren't web wallets. They are hardware wallets and quite secure.
+1 for this.. I agree with everything adzino already said.
I just wanted to answer the OP's last question ("does the trezor / ledger have a second password?")... Depends on what you mean by "second password". If you mean 2FA, then no, a hardware wallet doesn't have 2FA. You can USE your ledger for services that accept FIDO 2FA tough... But in this case it's the other way around (you use your ledger FOR 2FA, it doesn't have 2FA). Trezor can also be used as a 2FA token.
That being said, both wallets are pin protected AND you can use a passphrase on top of this... Here's ledger's documentation, but trezor has the same feature:
https://support.ledger.com/hc/en-us/articles/115005214529-Advanced-passphrase-security
And just to stress the point adzino already made: it's not because a HW wallet like ledger or trezor aren't using 2FA that they are unsafe... They are a lot safer than any web wallet you'll ever visit...