Make sure you have these in your httpd.conf file:
# This to look for filename to access control information
# This to prevent the .htpassword and .htaccess files from being able to be viewed.
Deny from all
# And also something like this placed in your directive tags, etc:
AllowOverride AuthConfig Limit