Update Citi password rules

[xiaoxu193]

Overall Checklist

• [x] I agree to the project's Developer Certificate of Origin
• [x] The top-level JSON objects are sorted alphabetically
• [x] There are no open pull requests for the same update

for password-rules.json

• [x] The given rule isn't particularly standard and obvious for password managers
• [x] Generated passwords have been tested from this rule using the Password Rules Validation Tool
• [x] Information has been included about the website's requirements (eg. screenshots, error messages, steps during experimentation, etc.)
• [x] The PR isn't documenting something that would be a common practice among password managers (e.g. minimal length of 6)

for change-password-URLs.json

• [ ] There is no Well-Known URL for Changing Passwords (https://example.com/.well-known/change-password)
• [ ] The URL either makes the experience better or no worse than being directed to just the domain in a non-logged-in state

for shared-credentials.json

• [ ] There's evidence the domains are currently related (SSL certificates, DNS entries, valid links between sites, legal documents etc.)
• [ ] If using shared, the new group serves login pages on each of the included domains, and those login pages accept accounts from the others. (For example, we wouldn't use a shared association from google.co.il to google.com, because google.co.il redirects to accounts.google.com for sign in.)
• [ ] If using from and to, the new group, the from domain(s) redirect to the to domain to log in.

for shared-credentials-historical.json

• [ ] You believe that the domains were associated at some point in the past and can explain that relationship

From Citi bank's password change page:

Password Guidelines

    Different from your User ID
    No spaces
    No more than 2 consecutive identical characters
    Include between 8-64 characters
    No digital images or icons

Must Include:

    Include at least 1 number
    Include at least 1 uppercase letter
    Include at least 1 lowercase letter
    Include at least 1 special characters: ~ ` ! @ # $ % ^ & * ( ) _ - \ / |

[rmondello]

It looks like someone already landed an updated rule here. I don't think this PR is needed. If I'm wrong, please re-open!