Basically, every dir that is under your world-browsable path in your www directories will be accessible. Under normal conditions, that's exactly what you want. For example a domain example.com pointing to /var/www/example.com will allow users to browse around in all subdirectories of /var/www/example.com.
Now, what if you add directories to this path you want to exclude from public access? That's where .htaccess comes in. Placing a .htaccess file in a directory will instruct the Apache webserver to use the rules in it to handle files and directories in this dir.
For example, if you want to add /var/www/example.com/locked-dir to your path, simpliy cd into /var/www/example.com/locked-dir and create a .htaccess file with these contents:
Deny from all
This will block any access to this dir, from everywhere. No fancy password checking! (There is plenty of information on how to do that out on the web...)