To be able to set up proper password security on your web pages, you need to have Telnet access to your site. If you don't know if you have telnet access, you will need to ask your ISP who (if you can have access) will tell you how to telnet into their server. Proper password protection is implemented at a directory level using .htaccess and .htpasswd files, there is no HTML or scripting required.
If you don't have telnet access (and no one using a free host will have this access) then you cannot implement proper password security on your site. The best you can do in this case would be to implement a password gate which is a CGI script available from many sources on the internet. Note that most (if not all) free sites prohibit password protected pages of any sort. For more information on what you can do to protect your pages when you don't have telnet access see this page.
To implement proper password protection you start by telnetting into your server. Next you need to find out where you are (you can use the pwd command to do this). Relocate yourself to where you want the password protected directory to be and make your new directory. Relocate into the new directory and create a .htaccess file (don't forget the dot at the front of the name) using your favourite unix/linux editor (eg. vi) with the following contents.
AuthName "Password Box Title"
<Limit GET POST>
Change the path for the AuthUserFile to match the path to the directory you are password protecting and change "Password Title Box" to the description that you want to have appear in the dialog box that will pop up to ask for the password.
Next you need to enter the command htpasswd -c .htpasswd username (where username is the name of the first user that you want to give access to). If this doesn't work, find out where the htpasswd program is stored and add the path to it to the front of the command. You will be asked to enter the password belonging to the user whose name you entered. To add additional names to the .htpasswd file repeat the same command but without the -c flag.
As with all computer security, no one can be completely sure that the security measures implemented cannot be bypassed. Points to note with this particular password protection system is that the user name and password are NOT encrypted when transmitted to the server and any sub-directories will still be accessible without a password unless similarly protected.
This article written by Stephen Chapman, Felgall Pty Ltd.