To password protect a directory served by Apache, you need a .htaccess file in the directory you want to protect and a .htpasswd file that can be anywhere on your system that the Apache user can access (but put it somewhere sensible and private). You most likely do not want to put .htpasswd in the same folder as .htaccess.
The .htaccess file may already exist. If not, create it. Then insert:
AuthName "Your authorization required message."
Then create a .htpasswd file using whatever username and password you want. The password should be encrypted. If you are on a Linux server, you can use the htpasswd command which will encrypt the password for you. Here is how that command can be used for this:
htpasswd -b /path/to/password/file username password
Here is a Virtual Host example. This is useful for covering a collection of sites or more explicit control. It is mostly the same but must be in a Location directive.
<Location / >
AuthName "What is the password?"