Or is that a bad idea security-wise?

Exceptionally bad idea.

Firstly, it opens an avenue of attack to get /etc/passwd, so an attacker would be more easily able to get a list of users.
Secondly, unlike login or sshd, there is no login throttling with apache, and failed logins are not generally logged to the syslog. So once the attacker has a valid user name (from /etc/passwd) they could write a bot to sit there brute-forcing an attack against your web server. Once the password has been found they could then use telnet or ssh to login for real, and then potentially launch a root attack from there.