.htpasswd doesn't protect your script any better from prying eyes or local users than properly implemented encryption (whether using md5, crypt() or whatever) inside your CGI. Both are equally valid methods if done correctly. .htpasswd is often easier to use, but its harder to log a user out if you choose this route