The problem with our grasp of cybersecurity isn’t so much that we remain dangerously illiterate — it’s that we think we know what we’re doing anyway.

The Pew Research Center was a little more diplomatic than that, though, in characterizing the findings of a new survey of Americans’ understanding of online security.

“Many Americans are unclear about some key cybersecurity topics, terms and concepts,” wrote Kenneth Olmstead and Aaron Smith in their introduction to “What the Public Knows About Cybersecurity.” But it’s that thinking that probably leads many internet users to make choices that they think make them more secure, but, in reality, leave them as exposed as ever.

Passwords and privacy

The Pew report, based on an online survey done from June 17 to June 27 of 1,055 U.S. internet users aged 18 and up, found respondents were overwhelmingly in the know on just two points.

One is passwords. A full 75% correctly identified the most secure password out of four listed (“WTh!5Z”), while 17% said they weren’t sure if that was more resistant to being cracked or guessed than “into*48,” “Boat123” or that old favorite “123456.”

The survey did not, however, assess whether respondents actually refrained from using “123456” for any significant accounts.

The majority of survey respondents also knew about the security risks posed by public WiFi: 73% agreed that just having a network password-protected doesn’t make it safe for sensitive activities like online banking.

Unfortunately, only 33% knew that a web address beginning with “https” means that site encrypts data going between it and your computer, which should prevent people on the same network from spying on your traffic. And only 13% knew that virtual-private-network services, which route all of your internet traffic over an encrypted link, further improve your security on public WiFi.

Trouble with key concepts

The bad news continues throughout the survey. Only 54% correctly identified all three descriptions of a phishing attack designed to get you to enter your username and password at a phony site, and just 52% said disabling a smartphone’s GPS won’t stop tracking of its location, which is true.

Only 48% knew the definition of “ransomware,” malware that encrypts your data until you pay up to get it unlocked, while 46% knew that email isn’t encrypted by default (although an increasing number of mail services now employ “TLS” encryption to secure messages as they cross the internet) and 45% knew that not all wireless routers encrypt WiFi traffic by default.

The relative upside of those three findings? Correct answers still, barely, outnumbered “Not sure.” You can’t say that for the remaining survey questions.