SYSLIB0041: Some Rfc2898DeriveBytes constructors are obsolete
The following Rfc2898DeriveBytes constructors are obsolete, starting in .NET 7. Using them in code generates warning SYSLIB0041
at compile time.
- Rfc2898DeriveBytes(String, Byte[])
- Rfc2898DeriveBytes(String, Int32)
- Rfc2898DeriveBytes(Byte[], Byte[], Int32)
- Rfc2898DeriveBytes(String, Byte[], Int32)
- Rfc2898DeriveBytes(String, Int32, Int32)
These overloads default the hash algorithm or number of iterations, and the defaults are no longer considered secure. These are all of the constructors that were available in .NET 4.7.1 and earlier versions. Going forward, you should only use the newer constructors.
Workaround
Use a different constructor overload where you can explicitly specify the iteration count (the default is 1000) and hash algorithm name (the default is HashAlgorithmName.SHA1).
If you're using the default iteration count or default hash algorithm, consider moving to more secure values—that is, a larger iteration count or a newer hash algorithm.
Suppress a warning
If you must use the obsolete APIs, you can suppress the warning in code or in your project file.
To suppress only a single violation, add preprocessor directives to your source file to disable and then re-enable the warning.
// Disable the warning.
#pragma warning disable SYSLIB0041
// Code that uses obsolete API.
// ...
// Re-enable the warning.
#pragma warning restore SYSLIB0041
To suppress all the SYSLIB0041
warnings in your project, add a <NoWarn>
property to your project file.
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
...
<NoWarn>$(NoWarn);SYSLIB0041</NoWarn>
</PropertyGroup>
</Project>
For more information, see Suppress warnings.