If you find a public index containing facebook_password.txt , do not open it. Immediately contact the domain owner or hosting provider. If the server belongs to a legitimate company, they may reward you. If it's criminal, you have avoided an evidence trail.
The true "better" approach is layered security, ethical behavior, and modern password hygiene. Stop hunting for .txt files. Start using a password manager, turn on 2FA, and sleep soundly knowing that your Facebook account is locked down tighter than any compromised credential dump you could ever find.
Anyone who finds the file can read every password instantly; there is no hashing or protection.