This sounds more like an added server level security layer than an error. The update process sends a server request to initiate the updater, but it cannot know about any additional security layers that have been implemented, thus the password request.
You can disable the server level security during the upgrade process by finding the AuthType [Basic|Digest|Form] line in a .htaccess file for one of the WP folders, probably /wp-admin/. Change the Basic or Digest or Form AuthType to None, the entire line will look like this: AuthType None
Make a backup copy of the original file, you will need it later. This can usually be done through your hosting control panel. You could also use FTP to download, edit, then upload the revised file.
Retry the update. Once the update process successfully completes, restore the original file.
Be very careful to only change the line as instructed, using a proper code or text editor. Accidental changes or the wrong editor can corrupt the file enough to cause the entire site to return type 500 errors.
