How weak is MD5 as a password hashing function ?
There are lots of known cryptographic weaknesses in MD5 which make it unusable as a message digest algorithm, but not all of these also apply in the context of password hashing. But even when we assume that these do not exist, MD5 is still a bad password hashing algorithm for one simple reason: It's too fast.
In any scenario where an attacker obtained the hashed passwords, you have to assume that they also obtained the salt of each password and the pepper.
The only reason to use a pepper is so you can't use a rainbow table precomputed before the attack, because you need a different one for each database. The only reason to use a salt is so you can't use the same rainbow table for the whole password database, because the same password for two different accounts will have a different hash.
The length of pepper and salt don't matter that much. Their only purpose is to make sure that each value is unique. More length doesn't make the attack notably harder (there is more data to hash, but that's a linear increase at most).
Bottom line is, a short salt is all that is needed to make sure that the attacker has to brute-force all possible passwords to find the correct hash for every single account.
And that's where MD5's weakness comes into play: It's a fast and memory-conserving algorithm. That means an attacker can compute the hash of a large number of passwords per second. Using specialized hardware (like FPGA arrays or ASICs) worth a few thousand dollar you can compute the hashes of all possible 8-character passwords for a given salt in mere hours.
For better security, use a slow algorithm like bcrypt. It means that your system needs some more CPU cycles to authenticate users, but the payoff is usually worth it because an attacker will also need a whole lot more processing power to brute-force your password database should they obtain it.
The severity of the danger in using MD5 depends on what you're using it for, but there's no compelling reason to use it at all.
MD5 absolutely must not be used for signatures because it is possible (and continues to become more possible over time) to circumvent the protections offered by signing when MD5 is used.
If, on the other hand, your purpose is whitening random data to get a more consistent distribution of ones and zeroes, then MD5 is as good as it ever was. Note that this is not a security-sensitive operation; there is no attack vector because there is no target, nothing to be gained or lost through knowledge of the algorithm, just a simple transformation where the output is truly random because the input is truly random.
Somewhere in between these two extremes you'll find all other operations. As the sensitivity of what you're doing and your dependence on the irreversibly of the cryptographic hash increases, so the danger in using MD5 also increases.
But the best reason to not use MD5 is the same as the best reason for not using triple-DES: There are better options available, and no advantage to use the old algorithm. MD5 is dead; it might be useful in certain limited circumstances, but the better option is to avoid it entirely so as to not accidentally use it in a place where security matters.