You need to create a file called .htaccess in the top level directory you wish to protect with passwords. So if you wised to protect a directory called ~username/public_html/top_secret, you should create .htaccess file there. It should have the same permissions as a normally served document (aka 444, or a=r). The following is pretty much what the file should look like:
AuthType Basic AuthName REALM AuthUserFile USER_FILE_PATH AuthGroupFile GROUP_FILE_PATH <Limit GET> require group GROUP_NAME </Limit>
REALM is the information to be presented to the person trying to access your pages so they have some idea what username and password to use. It is an arbitrary string. (IE. Top_secret, or Top Secret Directory).
user_file_path is a complete path (ie. /usr/users/lt/goebel/stuff/users) where you will have stored the usernames and passwords. They are stored in the file one username and password, seperated by a colon, on single lines. The passwords being generated on emunix by a program called htpasswd.
An example user_file could look like.
The group_file should be lists of groups followed by a colon, and then a list of the users in the group.
An example group_file could look like.
buttheads: dilbert shoes: dilbert mattias
Neither the group nor user file should be in your web directory, but it should be readable by the web daemon (aka world read).
You need to pick the top level directory you want protected and there create a .htaccess file. It should contain something along the lines of :
<Limit GET> order deny,allow deny from all allow from 164.76. </Limit>
This will allow only connections from machines with ip which start with 164.76.
The order directive tells the server in which order to test the deny and allow directives.
1) deny,allow : the deny directives are evaluated before the allow directives.
2) allow,deny : the allow directives are evaluated before the deny directives.
So you can deny everyone but a select few, or only allow a few certain sites to look at certain directories.
Actual Apache Documentation