Geez, Google, you've limited my passwords to 200 characters. What gives? Microsoft allows passphrases with SAML... though at that point (>200) it might be pass-paragraphs.

I know this is a joke, but allowing arbitrarily long passwords allow a DOS attack if your server uses bcrypt or similar (consider uploading a 1GB password, for example)

Good point. You need to draw the line somewhere. I wrote about 200 character limit Google uses because I hit it the other day. I wondered, but that makes sense. Wouldn't surprise me if they also took networking into consideration too.