How to validate users on login, to check if users are active or inactive?
How to check the date when the password was changed?
The authentication model of the platform is simple but extensible, so it can adapt to custom scenarios.
For associating custom information to an end-user, a common approach is creating a 1 to 1 relationship in the data model - as you described. This is the normal way, because the User entity is not editable (that is, you cannot add new attributes).
For checking if the user is active / inactive, the default built-in action User_Login (from Users) will do. This information is stored in User.Is_Active, and the login action will fail if the user is inactive.
For getting the last instant the user changed his password, you should store this in an extended entity, as described above. You'll have to customize the login flow, in order to perform this additional check. Note that you can isolate this logic (optionally packing it together with the theme), so it can be reused by multiple applications.