The cool kids talk about Renyi min-entropy, which, as you say, deals with the skewed distribution issue. I’ve written that into standards myself (actually I wrote a long definition of the word “unpredictability” using that concept, and then used that all over the document).
But in general, unless you’re writing some very formal document, you can just say “entropy” as shorthand and people will know what you’re talking about. Nobody is actually going to code your suggested password generation algorithm, and no actual practitioner thinks that “12345678″ is a good 8-character password.
A bigger problem is that you don’t necessarily know your adversary’s state of information, so you don’t know what the distribution looks like from their point of view. Not a problem for random passwords, but it can be hard to evaluate a user-generated password.
The cool kids talk about Renyi min-entropy, which, as you say, deals with the skewed distribution issue. I’ve written that into standards myself (actually I wrote a long definition of the word “unpredictability” using that concept, and then used that all over the document).
But in general, unless you’re writing some very formal document, you can just say “entropy” as shorthand and people will know what you’re talking about. Nobody is actually going to code your suggested password generation algorithm, and no actual practitioner thinks that “12345678″ is a good 8-character password.
A bigger problem is that you don’t necessarily know your adversary’s state of information, so you don’t know what the distribution looks like from their point of view. Not a problem for random passwords, but it can be hard to evaluate a user-generated password.