To make things a little more secure, use POST or ajax when transmitting user/pass so it doesn't show up in the url browser field.
If the user/pass is correct, you set an internal arduino variable to true or to the name of the user aka a session variable. All 'html' pages look at this so it will display or deny display depending. When the user logs out or set a timer to set the session variable to false.
ps. keep the user/pass in the arduino code.