Before creating your first user account, it is advisable that you visit the user account settings page and review or modify the general user account configuration settings, of which there are many.
To access the settings page choose Manage ➤ Configuration (assuming you are logged in as the administrator), and, on the Configuration page, locate the section titled “People.” Click the Account Settings link, which will take you to the page that you will use to set various configuration parameters for user accounts:
Contact settings: you may enable individual users on the site to have a personal contact form. This feature is enabled by default; to disable it, simply uncheck the box.
Anonymous users: the name used to identify anonymous users: In most cases, leaving the default value is appropriate, which is “Anonymous.”
Administrator role: what role to associate with administrator capabilities: The role selected becomes the default role assigned as the administrator of new modules that you install on the system. Using the default value “administrator” is an appropriate action.
Registration and cancellation: defines several attributes about user account registration: Who can register accounts: if only administrators can create accounts, select the first option “Administrators only.” If any visitor to your website can create their own account, select the “Visitors” option. If visitors can request an account but an administrator must approve that request before the account is active. This option is selected by default. For demonstration purposes I’ll select the first option, so that only administrators may create user accounts. Several Drupal 8 developers share more info on their blogs.
“Require e-mail verification,” is a good option to leave checked. This option requires that the user responds to a Drupal-generated e-mail that asks them to confirm their account. This helps to avoid “bot”-created user accounts, as most bots do not have the intelligence or capabilities to respond to user account verification e-mails.
The password strength indicator is a helpful tool to indicate how strong a person’s password is. A weak password may be easily hacked, whereas a strong password is harder to crack. It’s a good tool to enable to help keep your Drupal site secure. When cancelling a user account: a set of options allows you to define what happens to content on your site that was created by this user when you disable that person’s account in the future. In most cases the default option, “Disable the account and keep all content,” meets the needs of a majority of websites. You may, however, decide that one of the other options is more appropriate for your site.
Personalization: defines whether users can add signatures to their profiles. I will leave the default values for our test site; however, you may wish to enable or disable signatures depending on whether you wish to provide those capabilities to users. The e-mail address in the “Notification e-mail address” field is the e-mail address that will appear on all user account–centric e-mails that are generated by Drupal during the registration and password recovery process. By default, the site’s e-mail address defined during the installation process is the value that will be used; however, you may override the default by entering a valid e-mail address in the “Notification e-mail address” field.