what's the easiest way to password protect mongodb database for remote user?

Right now monogdb does not support authentication mode based on the user location. So that means if you run mongod with --auth that will apply to everyone.

There are no (yet) advanced authentication schemas like IP, protocol source, etc. For now you can only define if the user has read only or write permissions on a database. So basically the only thing mongodb cares is if you typed the right password for the right user.

Personally in all production environment I would recommend to use the secure mode, because even if you allow only connection from a localhost any users who has access to the local server or any malicious script on the host can easily wipe all your data.

The MongoDB Security and Authentication page has information on configuring user authentication and firewall settings.

Note that when you enable password authentication for a database, the authentication requirement will apply to both local and remote users (so you will also need to connect with a password through the local IP).