HTTP Basic Auth, reading password file and performance

1. Linearly relative. I wouldn't worry. HTTP Basic Auth is proved to be scalable. Just take the Twitter API as an example. It uses Basic Auth.

2. "Because the HTTP protocol is stateless, each request will be treated in the same way, even though they are from the same client. That is, every resource which is requested from the server will have to supply authentication credentials over again in order to receive the resource. Fortunately, the browser takes care of the details here, so that you only have to type in your username and password one time per browser session - that is, you might have to type it in again the next time you open up your browser and visit the same web site."

Detailed info in the Apache Auth documentation.

My experience is with Apache 2.x only.

1. Yes. It will be linear with the default authentication provider (file). It uses ap_cfg_getline() so it will be linear to number of lines (users).
2. Yes. mod_aaa has to parse the password every time. You can use something like MemCookie for cookie or token based authentication.

Parsing a file once at logon should scale pretty well, no matter how many users there are. I really wouldn't worry about it. In the future, you can develop a database driven approach with proper indexing. I suspect of all the bottlenecks you'll be running into developing a site, Basic Auth isn't going to be one of them for a very very long time - unless your webserver is VASTLY underpowered.