You might want to try Apache::Htpasswd. It gives more or less transparent access to apache authentication. Two possible drawbacks, though: it's very hard to force a logout without ending the browser session if you log in via apache, and this falls into knobunc's second category, ie you can still check against the encrypted version but never get the plaintext version of the password back again.