Thanks for the reply. Sounds like another case of "we've always done it this way".
I feel like underlying all of this, there's a lagging perception that "spaces and special characters are hard". But when all you're doing is hashing them... they're really really not. Whenever I hit a max length limitation, I'm automatically assuming that particular password is being kept in plaintext.
Max length limits can also be imposed by actual cryptographic hashes. (8-char limits are admittedly implausible.) For example, bcrypt is generally considered a good idea for storing passwords, but has a length limit of somewhere around 55 bytes (http://security.stackexchange.com/questions/39849/does-bcryp... for details).
I feel like underlying all of this, there's a lagging perception that "spaces and special characters are hard". But when all you're doing is hashing them... they're really really not. Whenever I hit a max length limitation, I'm automatically assuming that particular password is being kept in plaintext.