Best practices for user expiration on a web application

I have a web application with a simple custom made authentication mechanism. It doesn't feature two factor authentication or deactivation/locking users functionality. The application is not storing any sensitive data like credit cards, SSN, account numbers etc. Email is the unique identifier for the user.

I am thinking about the following options:

1. Never expire users. The users can login/repair password after any time of inactivity. A certain time after last login (for example 4 years) the system sends the user an email with a reminder to reset the password. The system still allows the user to login with the old password or reset the password any time after 4 years.

2. Adding locking logic. Lock user after 4 years of inactivity to prevent login. Force the user to reset the password and verify email if login is issued after 4 years.

3. After 4 years of inactivity send an email to the user that his account will be deactivated in 1 month if he is not accessing the system. Then archive the user and request the user two create a new account for accessing the system.

What is the best practice for user expiration logic in a simple web application?