A few months ago, I was at a talk at Google Chicago with two of the original creators of Subversion (Ben Collins-Sussman and Brian Fitzpatrick). After profuse apologies, they said everyone in the room should switch from git to hg, and that people who still used git just didn't realize how much it sucks. Then I realized why Google released hg support before git support :P
The http protocol was definitely the dealbreaker. That said, if you think hg is less secure than git you've bought into some FUD (the models are so similar it's almost silly, and the security quality is identical). The speed differences between hg and git aren't perceivable for the bulk of projects, even at sizes larger than most corporate repositories I've heard of. There are some operations that are faster for git (notably history rewriting), and others that are faster for hg (notably blame and per-file log). The two systems are very similar and just make some slightly different tradeoffs.
As far as I can tell, all changesets in Git are summed by SHA-1. The sum is also an ID for the changeset. You cannot change a changeset without modifying its' SHA-1 sum. This design make Git secure from tampering.
The ID for Hg changesets are some 48-bit numbers, like fb43b575b296. I do not think that this size is safe enough.
Mercurial prints the first 12 bytes of the hexlified sha1 by default, but everything is recorded using the full sha1, and can be referenced as such. You can view the full sha1 in a number of ways, the easiest would be "hg log --limit 1 --debug".
Mercurial uses full-length SHA1 sums internally, same as git. It just prints the first 48 characters for user convenience, unless you happen to have two objects that share that substring.
