After the announcing of the first SHA1 collision (https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html), and since Rfc2898DeriveBytes is still using SHA1.

Should we be concerned to use Rfc2898DeriveBytes?

See #86