Thanks for all your answers!
First I have to point out, that the only change to the viewer (that's under TOS of Linden) is reading a password from a special file, so I think this is correct:
Obviously, the aim is to hide the password, so the user can't login with the default SL Viewer right away, but still, no deal with the viewer itself.
The actual password will be encrypted, and split into two parts, data and key.
Restoring the key is no problem, it just needs the two pieces of data.
The user will be free to choose what to do with those two pieces.
If the user decides to hold both parts, there's no problem at all I think.
To summarize: The viewer will not do any changes ever to the user's account.