Why are low-entropy passwords considered OK in many cases?

"Cracking" a password on a website is not subject to the same kinds of brute-force attacks as encryption keys. Unless your source is a breached database, the rate at which you can brute force is limited by the website, which can introduce source-based throttling or blocking, attempt limits, raise flags etc. which makes a simple brute force harder to do.

However, if hashes have been leaked and there is insignificant additional entropy, then 8 character passwords are not secure, as @Lie Ryan suggests.