Because there have been multiple documented attacks against MD5. You don't need the password if you can run out and come up with a new plaintext that ends up with the same digest.