Very few American consumers have a complete understanding of several consumer-focused cybersecurity concepts, according to a new Pew Research study.

According to the study, cybersecurity knowledge varies widely by topic and level of technical detail.

Of the 13 questions in the survey, a substantial majority of online adults were able to correctly answer just two of them. First, 75% of online adults can correctly identify the strongest password from a list of four options. The correct password in this case is the password that does not contain words in the dictionary; does contain letters, numbers and symbols; and has a combination of both upper and lower case letters. A similar share (73%) is aware that if a public Wi-Fi network is password protected, it does not necessarily mean that it is safe to perform sensitive tasks, such as online banking, using that network.

Meanwhile, around half of internet users are able to correctly answer several other questions in the survey. Some 54% of internet users are able to identify examples of phishing attacks. Similarly, 52% correctly say that turning off the GPS function of a smartphone does not prevent all tracking of that device (mobile phones can also be tracked via the cellular towers or Wi-Fi networks to which they are connected).

Additionally, 49% of internet users know that Americans are legally entitled to get one free copy of their credit report annually from each of the three major credit bureaus. This issue is not specifically related to any technical aspects of cybersecurity, but cybersecurity experts recommend that anyone who uses the internet for financial or other sensitive transactions regularly check their credit reports to discover evidence of identity theft or other kinds of fraud. A similar share (48%) can correctly define the term “ransomware.” This refers to criminals accessing someone’s computer, encrypting their personal files and data, and holding that data hostage unless they are paid to decrypt the files.

Americans’ practical understanding of email and Wi-Fi encryption is also relatively mixed: 46% of internet users are able to correctly identify that the statement “all email is encrypted by default” is false. Some email services do encrypt users’ messages, but this is not a standard feature of all email services. At the same time, 45% correctly identify the statement “all Wi-Fi traffic is encrypted by default on all wireless routers” is also false.

In addition, public knowledge of cybersecurity is lower on some relatively technical issues.

Internet users’ understanding of the remaining cybersecurity issues measured in the survey is lower – in some cases dramatically so. For instance, 39% of internet users are aware that internet service providers (ISPs) are able to see the sites their customers are visiting while utilizing the “private browsing” mode on their internet browsers. Private browsing mode only prevents the browser itself, and in some cases the user’s computer or smartphone, from saving this information – it is still visible to the ISP. And one-third (33%) are aware that the letter “s” in a URL beginning with “https://” indicates that the traffic on that site is encrypted.

Meanwhile, just 16% of online adults are aware that a group of computers that is networked together and used by hackers to steal data is referred to as a “botnet.” A similar share (13%) is aware that the risks of using insecure Wi-Fi networks can be minimized by using a virtual private network, or VPN.

Lastly, cybersecurity experts commonly recommend that internet users employ “two-factor” or “multi-factor” authentication on any account where it is available. Two-factor authentication generally requires users to log in to a site using something the user knows (such as a traditional password) along with something the user possesses (such as a mobile phone or security token), thus providing an additional layer of security in the event that someone’s password is hacked or stolen. But when presented with four images of different types of online login screens, just 10% of online adults are able to correctly identify the one – and only one – example in the list of a true multi-factor authentication process. In this case, the correct answer was a picture of a login screen featuring a temporary code sent to a user’s phone that will only help them login for a limited period of time. Several of the other answer options illustrated situations in which users were required to perform a secondary action before accessing a page – such as entering a captcha, or answering a security question. However, none of these other options are examples of two-factor authentication.

The study also found that a significant share of online adults are simply not sure of the correct answer on a number of cybersecurity knowledge questions.

Although the share of online adults who can correctly answer questions about cybersecurity issues varies from topic to topic, in most cases the share providing an actual incorrect answer is relatively small. Rather, many users indicate that they simply are not sure of the correct answer to a large number of the questions in this survey.

At the low end, around one-in-five online adults indicate they are not sure how to identify the most secure password from a list (17%), how to identify multi-factor identification (18%) or whether public Wi-Fi is safe for sensitive activities (20%). At the high end, a substantial majority of internet users are not sure what purpose a VPN serves (70%) or what a botnet does (73%). There are also a number of other questions in this survey where “not sure” responses are markedly more common than incorrect answers. These include the definition of ransomware, whether or not email and Wi-Fi traffic are encrypted by default, whether private browsing mode prevents ISPs from monitoring customer activity and how to identify whether or not a webpage is encrypted. In fact, there is only one question on the survey – how to identify a multi-factor authentication screen – for which a larger share of respondents answer incorrectly than indicate they are not able to answer the question at all.

The study also found that those with higher levels of education and younger internet users are more likely to answer cybersecurity questions correctly.

Internet users’ knowledge of cybersecurity varies by several demographic factors. The most consistent differences are related to educational attainment.

Those with college degrees or higher answered an average of 7.0 of the 13 questions in the survey correctly, compared with an average of 5.5 among those who have attended but not graduated from college and an average of just 4.0 for those with high school diplomas or less.

Roughly one-quarter (27%) of those with college degrees answered 10 or more questions correctly, compared with 9% of those who have attended but not graduated from college and just 4% of those with high school diplomas or less.

On all 13 questions in the survey, there is at least an 11 percentage point difference in correct answers between the highest- and lowest-educated groups. And there are four questions with a difference of 30 percentage points or more between the highest- and lowest- educated groups. These include whether or not Wi-Fi traffic is encrypted by default on all wireless routers (a difference of 34 points); what “https://” in a URL refers to (32 points); whether or not all email is encrypted by default (32 points); and the definition of ransomware (31 points).

Cybersecurity knowledge also varies by respondent age, although these differences are much less dramatic than the differences pertaining to educational attainment. Indeed, on a number of these questions internet users age 65 and older are just as knowledgeable as those ages 18 to 29. For instance, older and younger users are equally likely to be able to identify a phishing attack, identify the most secure password from a list and know how many free credit reports Americans are entitled to by law. However, younger users score higher on certain questions – such as whether “private browsing” mode prevents ISPs from tracking users’ online activities (a 27 point difference) or whether turning off the GPS feature on a smartphone disables all tracking of that device (a 23 point difference).