In general it's simpler to protect the contents of a directory, rather than just a single file. Controlling who gets to see what parts of a website can be a deep topic, see here for more details.

Suppose you want to protect everything under http://llama.med.harvard.edu/~jdoe/secret_stuff/, so that users need a password to access the HTML pages or CGI scripts there.

Follow these steps:

  1. Create /home/jdoe/www/html/secret_stuff/.htaccess with the following contents: 
    	AuthUserFile /home/jdoe/www/passwd
	AuthName "J's Secret Stuff"
	AuthType Basic

	require user SomeGuy
  2. Create the password file with this command: 
    	htpasswd2 -c /home/jdoe/www/passwd SomeGuy
    (You'll find the htpasswd command is probably not in your usual path. Look for it using "locate htpasswd2") That will set up access control for one user, named "SomeGuy" (and the "-c" switch tells it to create a new password file with this info). The program will prompt you to set a password for that user.

    3. Following these instructions, you'll place the password file outside of the directory from which your web content is served. This is important, so that the password file can't be retrieved by arbitrary remote users.

  3. If you need to add more users, run 
    	htpasswd2 /home/jdoe/www/passwd SomeOtherGuy
    and edit the "require" line in the .htaccess file. (For each user you add, you will be prompted to give them a password.) If you just say "require valid-user", then any user in the AuthUserFile will be accepted. You can also explicitly list usernames, for example: 
    	require user SomeGuy SomeOtherGuy
    and then only those users will be allowed access.
When using this, keep in mind that HTTP Basic authentication is a fairly weak access control mechanism. The data that is exchanged after your users have logged in is not encrypted, and the password they type is transmitted across the network in clear text.