@akuchling @cwebber @tastytentacles Also TIL (en.wikipedia.org/wiki/SHA-2):

> SHA-256 and SHA-512, and, to a lesser degree, SHA-224 and SHA-384 are prone to length extension attacks, rendering it insecure for some applications. It is thus generally recommended to switch to SHA-3 for 512-bit hashes and to use SHA-512/224 and SHA-512/256 instead of SHA-224 and SHA-256. This also happens to be faster than SHA-224 and SHA-256 on x86-64 processor architecture, since SHA-512 works on 64-bit instead of 32-bit words.

I can confirm that when I tried it out in git-annex, sha-512 is indeed faster than sha-256, as is Skein-512, one of the SHA-3 candidates.

SHA-512/256 refers to SHA-512 truncated to 256 bits, but with a different initial value than plain SHA-512.