I use password protected directories and custom error redirects but for some reason it won't work with a 401. Instead of asking for a password it sends you to the 401 page regardless. May be the way the server is set up (beyond my control) or something else but I have noticed the same on other sites.
Password protected directories are about as safe as the directory the password is kept in. The actual .htpasswd file can easily be cracked if found so give the directory it is kept in a good cryptic name. Dont place it among your common files.