A lot of places restrict the allowed characters because they're morons who don't understand SQL injection and think it's a way to avoid it. Ideally any character should be allowed that can be transferred over HTTP without breaking the hell out of things, which is everything which can be properly encoded.
I do trim passwords though, something old school jackasses think is bad, because after all, if there's a space at the beginning or end of a password, or a newline/return character, it must be on purpose, despite the fact that 99.9999999999% of the time it's because someone copy/pasted the password from an email or something and accidentally added on the space/\r/\n. Of course you can make the argument of never sending a password in an email (and we don't), but tell that to users who will do it all day long.
I also wrote a method to deal with "easy" passwords, things like repeating words, pattern recognition for phone numbers, birthdates, etc.