Suppose you want to protect everything under http://llama.med.harvard.edu/~jdoe/secret_stuff/, so that users need a password to access the HTML pages or CGI scripts there.
Follow these steps:
AuthUserFile /home/jdoe/www/passwd AuthName "J's Secret Stuff" AuthType Basic require user SomeGuy
htpasswd2 -c /home/jdoe/www/passwd SomeGuy(You'll find the htpasswd command is probably not in your usual path. Look for it using "locate htpasswd2") That will set up access control for one user, named "SomeGuy" (and the "-c" switch tells it to create a new password file with this info). The program will prompt you to set a password for that user.
Following these instructions, you'll place the password file outside of the directory from which your web content is served. This is important, so that the password file can't be retrieved by arbitrary remote users.
htpasswd2 /home/jdoe/www/passwd SomeOtherGuyand edit the "require" line in the .htaccess file. (For each user you add, you will be prompted to give them a password.) If you just say "require valid-user", then any user in the AuthUserFile will be accepted. You can also explicitly list usernames, for example:
require user SomeGuy SomeOtherGuyand then only those users will be allowed access.