server – Why can I not password protect specific URL paths?

I have a directory that I would like only real users to access.

That directory is

I have gone into /etc/apache2/apache2.conf and made sure that the following was set:

<Directory /var/www/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted

Then I entered into the path /var/www/ and created the following .htaccess file:

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/passwd
Require valid-user

I realize the passwd file seems in a strange place, according to other posts I have looked at. But when I cat it, it has all passwords, including test users I created today.

I get the proper popup,

Yet it won’t accept any users and their passwords. The web page I get, once I give up and click cancel is:


This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g.,
bad password), or your browser doesn’t understand how to supply the
credentials required.

Apache/2.4.29 (Ubuntu) Server at Port 80

Any thoughts as to what I am doing incorrectly?