SSL should be employed wherever there's going to be sensitive information transmitted. This includes site configuration stuff like passwords, database connection info, sensitive paths ... basically anytime the administrator or customer is going to be typing things that you don't want intercepted, SSL should be used to ensure that information is passed securely over the Internet.
User information is definitely included in this list, especially on the screens where they need to type a password (login screen at /user and account info screen at /user/*/edit), but also even when you're "just" collecting address information.
Likewise, it makes sense to put administration tasks behind a secure certificate. You might even consider additional HTTP authentication for these pages - you can really never be too secure with your customer's and website's sensitive data.
SSL functionality is provided through the Drupal module "Secure Pages", which you may download from http://drupal.org/project/securepages. Once installed on your site, Secure Pages allows you to designate certain sections of your site as secure, accessible using only the HTTPS protocol. As a minimum, you should consider protecting any page that displays or collects sensitive user information such as passwords, credit card numbers, etc.