diff --git a/defaults/main.yml b/defaults/main.yml
index 411e347..74e3ebd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -15,6 +15,7 @@ users_default_groups: []
 
 users_global_umask: "022"
 users_pass_min_day: 1
+users_default_inactive: -1
 
 users_global_bash_aliases:
   - alias: "ll"
diff --git a/tasks/bash.yml b/tasks/bash.yml
index 7549302..f73cf1f 100644
--- a/tasks/bash.yml
+++ b/tasks/bash.yml
@@ -1,14 +1,5 @@
 ---
 - block:
-    - name: Stat umask files
-      stat:
-        path: "{{ item }}"
-      loop:
-        - /etc/bashrc
-        - /etc/csh.cshrc
-        - /etc/profile
-      register: __users_umask_files
-
     - name: Override default .bashrc
       template:
         src: etc/bashrc.j2
@@ -25,28 +16,5 @@
         owner: root
         group: root
         mode: 0644
-
-    - name: Set global umask
-      replace:
-        path: "{{ item }}"
-        regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
-        replace: \g<umask>{{ users_global_umask }}
-      loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"
-
-    - name: Set umask in /etc/login.defs
-      lineinfile:
-        path: /etc/login.defs
-        regexp: '^(?P<umask>UMASK\s+).+'
-        line: \g<umask>{{ users_global_umask }}
-        backrefs: yes
-        state: present
-
-    - name: Enforce minimum password lifetime
-      lineinfile:
-        path: /etc/login.defs
-        regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
-        line: \g<passmin>{{ users_pass_min_day }}
-        backrefs: yes
-        state: present
   become: True
   become_user: root
diff --git a/tasks/main.yml b/tasks/main.yml
index 6a74646..3d63c0b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -9,8 +9,8 @@
         - "vars"
       errors: "ignore"
 
+- include_tasks: security.yml
 - include_tasks: bash.yml
-
 - include_tasks: "{{ lookup('first_found', params) }}"
   vars:
     params:
@@ -20,5 +20,4 @@
         - "users_default.yml"
       paths:
         - "tasks"
-
 - include_tasks: users_keys.yml
diff --git a/tasks/security.yml b/tasks/security.yml
new file mode 100644
index 0000000..fc0b242
--- /dev/null
+++ b/tasks/security.yml
@@ -0,0 +1,43 @@
+---
+- block:
+    - name: Stat umask files
+      stat:
+        path: "{{ item }}"
+      loop:
+        - /etc/bashrc
+        - /etc/csh.cshrc
+        - /etc/profile
+      register: __users_umask_files
+
+    - name: Set global umask
+      replace:
+        path: "{{ item }}"
+        regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
+        replace: \g<umask>{{ users_global_umask }}
+      loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"
+
+    - name: Set umask in /etc/login.defs
+      lineinfile:
+        path: /etc/login.defs
+        regexp: '^(?P<umask>UMASK\s+).+'
+        line: \g<umask>{{ users_global_umask }}
+        backrefs: yes
+        state: present
+
+    - name: Enforce minimum password lifetime
+      lineinfile:
+        path: /etc/login.defs
+        regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
+        line: \g<passmin>{{ users_pass_min_day }}
+        backrefs: yes
+        state: present
+
+    - name: Set default account expiration after inactivity
+      lineinfile:
+        path: /etc/default/useradd
+        regexp: "^(?P<inactive>INACTIVE=).+"
+        line: \g<inactive>{{ users_default_inactive }}
+        backrefs: yes
+        state: present
+  become: True
+  become_user: root