Open a command prompt window in the subdirectory /apache/bin under your XAMPP install directory, then enter the command "htpasswd". That will display usage information for that command:
C:\Program Files\xampp\apache\bin>htpasswd
Usage:
htpasswd [-cmdpsD] passwordfile username
htpasswd -b[cmdpsD] passwordfile username password
htpasswd -n[mdps] username
htpasswd -nb[mdps] username password
-c Create a new file.
-n Don't update file; display results on stdout.
-m Force MD5 encryption of the password (default).
-d Force CRYPT encryption of the password.
-p Do not encrypt the password (plaintext).
-s Force SHA encryption of the password.
-b Use the password from the command line rather than prompting for it.
-D Delete the specified user.
On Windows, NetWare and TPF systems the '-m' flag is used by default.
On all other systems, the '-p' flag will probably not work.
For example, "htpasswd -nm reginald" will prompt you for a password, and then display the line to place in the .htpasswd file for the user "reginald", using MD5 encryption for the password. If you use the "s" option instead of the "m" option, you'll get SHA encryption, which is even stronger than MD5.
You don't have to tell Apache whether the passwords in .htpasswd are encrypted, or what kind of encryption they use. Apache figures it out automatically.
Of course if someone manages to get direct access to your file system, bypassing Apache, and can read any files there, this kind of protection won't accomplish anything.