Bottom line: Not all browsers allow this. It may work in some but not others.
But as someone else has said already, it’s not very safe — you’re effectively giving the login and password details to anyone who browses the page. Not good.
A better option would be proxy it through the same server that you’re providing the html code from, then the href in the <img> tag could just be a local URL, and no-one need know where the image is actually coming from.