I dont know personally how the modified M3U works what i do know is some casual user just port scanning will not get in if you password and HTTP authentication
But it isn't casual users who are likely to find an open port. When they found mine, I located the source IP address to a data centre hosted in London which people can rent for a monthly fee. All they would do is run IP scanners en masse (and probably 24/7), and then have automated scripts to interrogate OpenWebIf. They don't need to crack your root password, nor will they be deterred by having HTTP authentication switched on - all HTTP authentication does is ask for a password when you log into the OpenWebIf web interface, but when you click on a channel, or programme, it generates an M3U file in the form of
http://internalIP:8001/GUIDofChannel.
Problem is, the so-called hackers can simply change the IP of the M3U files to your external IP address. This will then play their side with no authentication required. I've tested this myself using my own box and 2 different other broadband lines and confirm this works without any password being asked for. It's up to you really, If you feel safe enough, go for it...