I would use an existing “secure tunneling” protocol, such as VPN or SSH, both using digital certificates, not passwords, as the foundation of my system.   Establish a secure channel of communication between the two systems using existing technologies, and use it for the entire interaction.

A “hacker” would have to gain possession of both the digital certificate and the password used to encrypt it.   (And, if you like, the IP-address embedded therein, depending on exactly what technology you use.)   Not gonna happen, presumably.   And if it somehow did, you simply invalidate that cert and issue another one.   (None of this costs money.)   Both sides know not only that their communications are secure, but that they are talking to the intended party.