My two cents on this :)
Why do we use salt for passwords?
If here are two users who use "HelloWorld" as they password. We will have two identical hashes in database.
And if hacker who got our database have premade bilions of passwords with they hashes. He can compare them with our database and find hash in our database coresponding with hash in they database and will find users password. No need for brute force.
We add salt to make all passwords unique. So, two users who used "HelloWorld" as they password will have two diffirent hashes if salt is used.
It also makes premade password hash databases less useful, or maybe worthless. So, haker who got our database will need to use brute force to find each password in database, but because he will know salt used for password, it will not be hard to do if user used "HelloWorld" as they password.
In both cases security mostlly depends at user. If he used "HelloWorld" as they password, it is same as not using password at all. But if he used >30 long and made from random letter, numbers and special simbols password, even without salt it will be secure.
But lets be real, most passwords are "HelloWorld" or similar.
Pepper can make password longer and more complex, but question is how to use them. Your example to me looks like double salted password. You first salt it with server salt, get hash and salt hash with password salt.
In my case I would just make pepper made from random special symbols (because most not secure passwords only use latters and maybe some numbers). Make pepper about 32 symbol length. Forcing user passwordto be at last 10 symbol long. If I just add them together I will have 42 symbols password. If user password is 20 symbol long, I will add only 22 symbols from pepper to make password 42 symbol long. And salt this password to make hash.
In this case if hacker got my database only he will not able to brute force passwords. Because salted password will be not "HelloWorld", but "!@#&^%+-&%$@#!#$#%HelloWorld" or something similar.
But if hacker got my pepper too and knows how I add it to passwords he may be able to brute force passwords, but this means more work for hacker. And this is meaning of crypto. To make hackers work more. Here are no security impossible to breach.
And pepper makes it more secure, here are no question about it. Which is easier to brute force?
"HelloWorld" or "!@#&^%+-&%$@#!#$#%HelloWorld"
Or are they equal?
In response to other answer:
"Your implementation of peppers precludes the ability to rotate the pepper key."
Why would I need to rotate my pepper? If hacker is able to steal my pepper, it means my server is compromised so much I need to deleted all password hashes from my database and make all users to recover they accounts. It is not important if I use pepper or not. I will need to do it in both cases. So, I don't see any meaning in rorating pepper.
"It Requires You To Roll Your Own Crypto"
Why would I need to roll my own crypto? All I need to do is to hash(pepper + password); in simplest case. In more complex case I would just make funtion to add pepper and password in more complex way and use standert hash. hash(add_pepper(password));
add_pepper() will not encrypt it will just add more symbols to password and maby make somthing like this:
"!@#&^%+-&%$@#!#$#%HelloWorld" or "!@#&^%+-HelloWorld&%$@#!#$#%"
It just needs to add pepper same way for same string (for same length of string).
As I said before my function to add papper just makes password 42 symbol long. No other unnecessary things. Pepper just makes password brute forcing harder. No more, no less.
If I add pepper depending at length of users password, getting only pepper is also not as useful, because hacher will not know how much of it was added and where. At front, at back, at both ends of password? Hacker will need to get my add_pepper() too. But if hacker can get them, all security is meaningless.
Pepper don't make unbreakable security, it just makes some part of security better. So, I will use pepper.
P.S. Maybe answers against pepper is writen by hackers who don't want they work made harder? ;)