I can't believe that I still encounter sites hosting financial or sensitive data that restrict the password to short lengths and the characters to letters and numbers. Since the passwords should be encrypted when stored in the database it seems pointless to restrict the original size to such a short length. And allowing only alpha-numeric characters is just defenseless.
Graphics processors--or any computing platform used for password cracking--are only useful for that purpose if the encrypted version of the password is known. This is therefore only a concern if the password database can be obtained from a system without extended user privileges. That itself is a security threat on its own.