Something I've never been able to figure out, and is either because I'm missing something quite obvious, or because there really is no answer is: Why does PHP bother to have set $PHP_AUTH_USER anyway? As far as I can tell, it's always the same as $REMOTE_USER.

As for getting the password, I don't think that's necessary (although I'm sure there's some way you could do it). $REMOTE_USER is only ever going to be set it the user has logged in successfully, so all you need to do is check whether $REMOTE_USER has been set or not - the existence of $REMOTE_USER itself is the "success message".