On Android, you create your own application signing keys. As such, this key is used for the entire life of your application--by entire, I mean you use the same key to release every version of your application. This key is what links version 1.0 to v1.1 to v2.0. Without using the same key, the application will be considered a totally different application.
The reason there are two passwords is that your keystore can actually contain an unlimited number of keys, and so, each key in the keystore has its own password. Anyone who has access to this key can pretend to be you. This is helpful for building servers, but not so helpful if you lose them. You cannot change the key at a later time, so making backups of your keystore is extremely important.