from a security point of view, it would be useful to know which user accounts have not logged in for a long time, or ever.

this could be figured out by looking at sessions and taking the "lastaccess" value from there, but old sessions could be removed by housekeeper.

this makes it impossible to distinguish an old account that has either been logged in a long time ago or never, and a new account.

storing account creation timestamp might solve this.