If normal users can’t “Use our products and keep safe, then that’s on us even if they made a mistake,” Alex Stamos Facebook’s security chief, told the Web Summit in Lisbon, Wednesday.

Stamos, who joined Facebook in the summer of 2015 from Yahoo, heads the team at Facebook trying to stay a step ahead of potential hacks.

He said one of the biggest challenges in safety arises from a common web user problem: “The reuse of passwords in the No. 1 cause of harm on the Internet,” he said.

Hackers sell millions of such passwords on the Internet black market. Facebook, says Stamos, buys the passwords hackers sell online and cross references them with the encrypted user passwords on the site, a task he described as “computationally heavy.”.

But he said, as a result, Facebook has alerted tens of millions of users that their passwords need to be stronger.

The company also uses machine learning algorithms to spot fraudulent activity on accounts, and various authentication measures, such as two-factor identification and facial recognition of friends.

One thing users need to do, says Stamos, is “Secure all their accounts,” not just Facebook, particularly to avoid the kind of cyber snooping by governments that’s so prevalent now.

“Generally if you’re targeted by a government, that’s a full spectrum targeting with a look at your entire online presence,” he said. He believes the problem is only going to get worse.

Passwords remain a concern and like many in the tech industry, Stamos says they’re an outdated security measure that needs to change.

“Well I mean passwords have to go right? Like the password paradigm came out of the ’70s multi-user mainframe systems.”

For his complete talk see Building Global Scale DefensesBuilding Global Scale Defenses.