It's basically the same as the other JS password protection methods in that you just send them to password.html, except you include username_and_password.js which draws the secured content. It's not something people can crack without getting a directory index to see which files you have in your folders.
I wouldn't call your login secure. Several issues I can think of make such a script less attractive than a server-side login:
1) Once you are logged in you are logged in. There is no "session expiration".
2) You don't need to know the username and password. You only need to know the filename you are redirected after logging in.
3) If you occasionally change the filename of the file, you are redirected to, for security reasons (I assume there is no other way to protect against brute force methods) you will break existing links and bookmarks
4) You cannot set different "access levels/rights" for members
Your are correct on the session expiration and such, but I can make it so that you can not see what the page url is, thus, creating a dang near impossible crack unless you either know a username and password.
However there is still that "brute force" that might get in. Althought there is no real sensitive info that is SUPER important
this won't help bruteforcing, but a good idea if you don't want people looking over your shoulder at the url (which has the password in it), write the name of the target page in hex. that way, they won't remember the code (unless they have photographic memory)
The new and even better site stands to this day! I have used hex values that complicate even brute force attacks! Generic names (such as members.htm, etc...) no longer stand. Making it very difficult to bypass.